Blazix Java Application Server Input Validation Hole Discloses JSP Source Code and Password-Protected Directory Listings to Remote Users
|
|
SecurityTracker Alert ID: 1005135 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Oct 10 2002
|
Original Entry Date: Aug 25 2002
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.2 and prior versions
|
Description: An input validation vulnerability was reported in the Blazix java application server. A remote user can view JSP and script source code as well as password-protected folder directory listings.
PivX issued a security advisory warning that Blazix does not properly process URLs that contain certain characters. A remote user
can create a specially crafted URL request to view the source code of JSP files and other scripts. Some demonstration exploit URLs
are provided:
http://127.0.0.1/jsptest.jsp+
http://127.0.0.1/jsptest.jsp\
A remote user can reportedly view a listing of
the contents of a password-protect folder using the following type of URLs:
http://127.0.0.1/bugtest+/
http://127.0.0.1/bugtest\/
|
Impact: A remote user can view JSP source code. A remote user can list the contents of a password-protected web directory.
|
Solution: The vendor has released a fixed version (1.2.1 and later), available at:
http://www.blazix.com/download.jsp
According to the report, you need to refer to the 'Readme.txt' file to determine the version number.
|
Vendor URL: www.blazix.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Auriemma Luigi <aluigi@pivx.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 24 Aug 2002 20:20:59 +0000
From: Auriemma Luigi <aluigi@pivx.com>
Subject: Blazix 1.2 jsp view and free protected folder access
|
######################################################################
Auriemma Luigi, PivX security advisory
Application: Blazix (http://www.blazix.com)
Version: 1.2 and previous
Bug: Bad management of files requested with at the end some
"bad" characters
Risk (low): An attacker can view jsp and other server side scripts
with the ability to access any password protected folders
Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC
e-mail: aluigi@pivx.com
######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy
______________________________________________________________________
1) Introduction
Blazix is a commercial webserver totally written in Java.
It has some feautures like the Ejb server (port 2050) and the admin
server (port 3010) for change some parameters and for stop or restart
the webserver.
Some functions of this server are: Servlets 2.3 usage, ION, JMS,
E-mail sending support, Cluster Management, Class Reloads, Automatic
EJB Primary Keys generation, Virtual Hosting support and other.
______________________________________________________________________
2) Bug
The bug I want to describe is one of the most diffused problems in the
current applications.
It is the problem that have some operating sytems API that open files
without checking some character that can be attached to the file name.
In Blazix the "bad" characters are '+' and '\' (NOT %2b and %5c).
With this bug we can view all the server side scripts in it and, more
dangerous, we have free access to the password protected folders.
Attention because the version 1.2.1 (released for some days) is still
vulnerable to the "password protected folder access" (only the jsp
view has been fixed in this release).
______________________________________________________________________
3) The Code
A] Jsp view examples:
http://127.0.0.1/jsptest.jsp+
http://127.0.0.1/jsptest.jsp\
B] Free protected folder access examples (bugtest is a folder that I
have created and protected with a password):
http://127.0.0.1/bugtest+/
http://127.0.0.1/bugtest\/
If you don't have a protected folder you can quickly follow these
simple steps:
a) make a new folder called bugtest in webfiles
b) copy webfiles\index.html in webfiles\bugtest\index.html
c) add "role.user.url: /bugtest/*" in web.ini file
d) close and restart the web server for load the new settings
______________________________________________________________________
4) Fix
The Blazix team has patched the server and you can see your real
version in the Readme.txt file in the Blazix folder (it is the ONLY
place where is written the real version).
Blazix 1.2.2 can be downloaded from its homepage:
http://www.blazix.com
______________________________________________________________________
5) Philosophy
I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!
______________________________________________________________________
About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary Risk and Vulnerability Assessment (RAVA).
Dedicated PivX founders have also developed the patented Invisiwall
network security device which offers the most comprehensive and secure
intrusion detection system available.
For more information go to http://www.PivX.com
Any type of feedback is really welcome!
Byez
--
PivX Security Researcher
|
|
