OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Auriemma Luigi (aluigi_at_pivx.com)
Date: Sat Aug 24 2002 - 15:20:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ######################################################################

    Auriemma Luigi, PivX security advisory

    Application: Blazix (http://www.blazix.com)
    Version: 1.2 and previous
    Bug: Bad management of files requested with at the end some
                 "bad" characters
    Risk (low): An attacker can view jsp and other server side scripts
                 with the ability to access any password protected folders
    Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC
                 e-mail: aluigipivx.com

    ######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix
    5) Philosophy

    ______________________________________________________________________

    1) Introduction

    Blazix is a commercial webserver totally written in Java.
    It has some feautures like the Ejb server (port 2050) and the admin
    server (port 3010) for change some parameters and for stop or restart
    the webserver.
    Some functions of this server are: Servlets 2.3 usage, ION, JMS,
    E-mail sending support, Cluster Management, Class Reloads, Automatic
    EJB Primary Keys generation, Virtual Hosting support and other.

    ______________________________________________________________________

    2) Bug

    The bug I want to describe is one of the most diffused problems in the
    current applications.
    It is the problem that have some operating sytems API that open files
    without checking some character that can be attached to the file name.
    In Blazix the "bad" characters are '+' and '\' (NOT %2b and %5c).

    With this bug we can view all the server side scripts in it and, more
    dangerous, we have free access to the password protected folders.

    Attention because the version 1.2.1 (released for some days) is still
    vulnerable to the "password protected folder access" (only the jsp
    view has been fixed in this release).

    ______________________________________________________________________

    3) The Code

    A] Jsp view examples:

    http://127.0.0.1/jsptest.jsp+
    http://127.0.0.1/jsptest.jsp\

    B] Free protected folder access examples (bugtest is a folder that I
    have created and protected with a password):

    http://127.0.0.1/bugtest+/
    http://127.0.0.1/bugtest\/

    If you don't have a protected folder you can quickly follow these
    simple steps:

       a) make a new folder called bugtest in webfiles
       b) copy webfiles\index.html in webfiles\bugtest\index.html
       c) add "role.user.url: /bugtest/*" in web.ini file
       d) close and restart the web server for load the new settings

    ______________________________________________________________________

    4) Fix

    The Blazix team has patched the server and you can see your real
    version in the Readme.txt file in the Blazix folder (it is the ONLY
    place where is written the real version).
    Blazix 1.2.2 can be downloaded from its homepage:

    http://www.blazix.com

    ______________________________________________________________________

    5) Philosophy

    I'm really hopeful about the FULL-DISCLOSURE policy, because with it
    "everyone" can know the real effects of an attack, the real danger of
    a bug, someone can learn a bit of creative programming (I have learned
    a bit of interesting C from the source code of some published
    exploits) and it's useful for all the people that are hopeful in this
    type of disclosure.
    No secrets!

    ______________________________________________________________________

    About PivX Solutions
    PivX Solutions, is a premier network security consultancy offering a
    myriad of network security services to our clients, the most notable
    being our proprietary Risk and Vulnerability Assessment (RAVA).
    Dedicated PivX founders have also developed the patented Invisiwall
    network security device which offers the most comprehensive and secure
    intrusion detection system available.

    For more information go to http://www.PivX.com

    Any type of feedback is really welcome!

    Byez

    -- 
    PivX Security Researcher