SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   JavaServer Web Dev Kit Vendors:   Sun
Sun's JavaServer Web Development Kit Allows Remote Users to Access Files Outside the Document Root Directory
SecurityTracker Alert ID:  1001194
SecurityTracker URL:  http://securitytracker.com/id/1001194
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 29 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.0.1 and prior
Description:   A vulnerability in Sun's JavaServer Web Devl Kit(JSWDK) 1.0.1 for Windows 2000 has been reported by the CHINANSL Security Team. It allows a remote user to access files outside the document root directory.

A demonstration exploit for this directory traversal vulnerability:

http://localhost:8080/examples//WEB-INF/
listing /WEB-INF/ Directory .

http://localhost:8080/../examples//WEB-INF/../../../../../

Under this example, if JSWDK is installed in C:\, the query will return a listing for all files and directories under C:\.

Impact:   A remote user can gain to access files outside the document root directory.
Solution:   Upgrade to a more recent version.
Vendor URL:  www.sun.com (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  CHINANSL Security Advisory(CSA-200106)


Topic:
JavaServer Web Dev Kit(JSWDK)1.0.1 for win2000 
Directory traversal Vulnerability

vulnerable:
Microsoft Win2000
maybe for other operating system also.

discussion:
A security vulnerability has been found in Windows 
NT/2000 systems that have JSWDK 1.0.1 
installed.The vulnerability allows remote attackers to 
access files outside the document root directory 
scope.

exploits:
http://localhost:8080/examples//WEB-INF/ 
listing /WEB-INF/ Directory .

http://localhost:8080/../examples//WEB-INF/../../../../../
if JSWDK installd in c:\ the question will listing c:\ all 
file and directory.

solution:
Update JSWDK

Copyright 2000-2001 CHINANSL. All Rights 
Reserved. Terms of use. 

CHINANSL Security Team 
<lovehacker@chinansl.com> 
CHINANSL INFORMATION TECHNOLOGY CO.,LTD 
(http://www.chinansl.com)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC