SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Red Hat JBoss Vendors:   JBoss Group
JBoss Application Server Error in DeploymentFileRepository Class Lets Remote Users Read and Write Files
SecurityTracker Alert ID:  1017289
SecurityTracker URL:  http://securitytracker.com/id/1017289
CVE Reference:   CVE-2006-5750   (Links to External Site)
Date:  Nov 27 2006
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.5 and prior versions
Description:   A vulnerability was reported in JBoss Application Server. A remote user can view or write files on the target system.

The setBaseDir() method of the DeploymentFileRepository class does not properly validate the basedir setting. A remote user can connect to the console manager to read or write arbitrary files on target system with the privileges of the JBoss user account.

Symantec reported this vulnerability to the vendor.

The original bug report is available at:

http://jira.jboss.com/jira/browse/JBAS-3861

Impact:   A remote user can view or write files on the target system.
Solution:   The vendor has issued a source code fix, available via SVN.
Vendor URL:  www.jboss.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 27 2006 (Red Hat Issues Fix) JBoss Application Server Error in DeploymentFileRepository Class Lets Remote Users Read and Write Files
Red Hat has released a fix for Red Hat Application Stack on RHEL 4.
Feb 12 2007 (Novell Issues Advisory for Identity Manager) JBoss Application Server Error in DeploymentFileRepository Class Lets Remote Users Read and Write Files
Novell has issued a workaround for Novell Identity Manager UserApplication, which is affected by this JBoss vulnerability.
Apr 9 2008 (HP Plans to Issue a Fix for HP Storage Essentials) JBoss Application Server Error in DeploymentFileRepository Class Lets Remote Users Read and Write Files
HP plans to issue a fix for HP Storage Essentials.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC