SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   J Walk Vendors:   SEAGULL
J Walk Application Server Discloses Files to Remote Users
SecurityTracker Alert ID:  1006378
SecurityTracker URL:  http://securitytracker.com/id/1006378
CVE Reference:   CVE-2003-1529   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Mar 25 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Prior to 3.3C4; Tested on 3.2C9
Description:   An information disclosure vulnerability was reported in the J Walk application server. A remote user can view files on the system.

Information Risk Management reported that a remote user can submit a specially crafted URL to view files on the system with the privileges of the web server process. The remote user can specify '../' directory traversal characters in unicode format. A demonstration exploit is provided:

HTTP://<IP_address>/.%252e/.%252e/.%252e/winnt/repair/sam._

The flaw reportedly resides in the web server that is supplied with J Walk. According to the report, the web server privileges may give the remote user read access to any known file on the system.

Impact:   A remote user can read arbitrary, known files on the system.
Solution:   The vendor has issued a service release (3.3c4 or later), available at:

http://www.seagullsw.com/services/customercare.html

Vendor URL:  www.seagullsw.com/products/jwalk.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT)
Underlying OS Comments:  Tested on NT 4.0

Message History:   None.


 Source Message Contents

Subject:  IRM 005: JWalk Application Server Version 3.2c9 Directory


--=-3ESWLrCPYhe0kRSyd+fN
Content-Type: text/plain; charset=iso-8859-13
Content-Transfer-Encoding: quoted-printable

=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
IRM Security Advisory No. 005

JWALK application server version 3.2C9 Directory Traversal Vulnerability

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: November 28th 2002
Vendor contacted: November 28th 2002
Advisory published: March 20th 2003
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


Abstract:
~~~~~~~~~

"JWalk is a complete development and deployment solution that includes poin=
t-and-click developer=FFs tools, specialized server software and self-updat=
ing thin client viewer software." - quote from Seagull software product doc=
umentation.

The Java-based product is supplied with a proprietary web server, and by us=
ing a browser it is possible to alter the URL to permit the contents of any=
 file on the system to be viewed even those situated outside the web root. =
Using this method it is possible to view important configuration files incl=
uding the "sam._" file which contains the Windows password database.


Description:
~~~~~~~~~~~~

Recently during a penetration test IRM identified a serious security vulner=
ability with the Jwalk application web server version 3.2C9. It appears tha=
t by issuing a URL containing unicode characters representing "../" directo=
ry traversal is possible.=20

IRM used the following URL to obtain the Windows password file on the machi=
ne in question:

HTTP://<IP_address>/.%252e/.%252e/.%252e/winnt/repair/sam._=20

The server process appears to be running with sufficient privileges to read=
 any file on the server (assuming the name and location of this file is kno=
wn).


Tested Versions:
~~~~~~ ~~~~~~~~~
JWALK application server version 3.2C9=20


Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~
Microsoft Windows NT 4.0


Vendor & Patch Information:
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~
The vendor of this product, Seagull software, was contacted via email using=
 the address "info-uk@seagull.nl" on 28th November 2002. When no reply was =
received to this email, another email was sent on 7th January 2003 to the s=
ame address, and copied=20
to "customercare@seagull.nl" and "maintenance@seagull.nl". The vendor telep=
honed IRM to confirm that it was indeed a security vulnerability and starte=
d work on a patch to resolve the issue. Subsequently, the vender explained =
that the fix would be available in the next service release of JWalk, 3.3c4=
, scheduled for delivery on Feb 10, 2003.


Workarounds:
~~~~~~~~~~~~
A workaround involves using different vendor's web server to serve the Jwal=
k application


Credits:
~~~~~~~~
Research & Advisory: Andy Davis=20


Disclaimer:
~~~~~~~~~~~
All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at
http://www.irmplc.com/advisories

The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.

=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Information Risk Management Plc.=20
http://www.irmplc.com, info@irmplc.com
22 Buckingham Gate=20
London=20
SW1E 6LB
+44 (0)207 808 6420


--=-3ESWLrCPYhe0kRSyd+fN
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA+gCSkuAU46n6de2URAuxrAJ9/YKFMYu5g3YUGW4F4lfPMcaNalwCfSAEy
gI7BBGx2IwTL/lKT5RjH6Ig=
=awi2
-----END PGP SIGNATURE-----

--=-3ESWLrCPYhe0kRSyd+fN--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC