Sun Java Web Server Web Admin / Bullettin Board Vulnerability
BID:1600
Info
Sun Java Web Server Web Admin / Bullettin Board Vulnerability
| Bugtraq ID: | 1600 |
| Class: | Input Validation Error |
| CVE: |
CVE-2000-0812 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 22 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | Publicized in a Foundstone Advisory posted to Bugtraq on August 22, 2000 by Foundstone Labs <[email protected]> |
| Vulnerable: |
Sun Java Web Server 2.0 Sun Java Web Server 1.1.3 |
| Not Vulnerable: | |
Discussion
Sun Java Web Server Web Admin / Bullettin Board Vulnerability
The Java Web Server includes two features that when used together can be made to execute arbitrary code at the privilege level of the server.
The Web Administration module listens on port 9090 for administrative commands via http. By using the /servlet/ prefix, it is possible for a remote user to point the servlet "com.sun.server.http.pagecompile.jsp92.JspServlet" to any file in or below the administration webroot for compilation and execution.
The server also includes a sample application that provides bullettin board functionality. This application usesthe file board.html in the webroot to store all posted messages. Code can be entered as a posted message through the file /examples/applications/bboard/bboard_frames.html and will then be stored as part of board.html .
Therefore, it is possible for a remote user to inject JSP code into board.html, and then have the server execute it via the Administration module, using a URL like:
http:/target:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html
The Java Web Server includes two features that when used together can be made to execute arbitrary code at the privilege level of the server.
The Web Administration module listens on port 9090 for administrative commands via http. By using the /servlet/ prefix, it is possible for a remote user to point the servlet "com.sun.server.http.pagecompile.jsp92.JspServlet" to any file in or below the administration webroot for compilation and execution.
The server also includes a sample application that provides bullettin board functionality. This application usesthe file board.html in the webroot to store all posted messages. Code can be entered as a posted message through the file /examples/applications/bboard/bboard_frames.html and will then be stored as part of board.html .
Therefore, it is possible for a remote user to inject JSP code into board.html, and then have the server execute it via the Administration module, using a URL like:
http:/target:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html
Exploit / POC
Sun Java Web Server Web Admin / Bullettin Board Vulnerability
See the discussion, and for a more detailed explanation see the Foundstone advisory (linked to in the Credit section)
See the discussion, and for a more detailed explanation see the Foundstone advisory (linked to in the Credit section)
Solution / Fix
Sun Java Web Server Web Admin / Bullettin Board Vulnerability
Sun Java Web Server 1.1.3
Sun Java Web Server 2.0
Sun Java Web Server 1.1.3
-
Sun JWS 1.1.3 Patch 3
http://java.sun.com/products/java-server/jws113patch3.html
Sun Java Web Server 2.0
-
Sun JWS 2.0 Patch 3
http://java.sun.com/products/java-server/jws20patch3.html
References
Sun Java Web Server Web Admin / Bullettin Board Vulnerability
References:
References: