Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Vulnerabilities in Bajie Http JServer

Vulnerabilities in Bajie Http JServer

by Phiber on February 16th, 2001 Bajie Http JServer v0.78 is a Java web server available from http://go.to/bajie and http://java.tucows.com. A vulnerability exists which allows a remote attacker to execute any CGI script on the file system by using relative paths (ie: '..', '...')....


In addition, arbitrary shell commands can be executed if the server is
UNIX-based.



Details



A servlet named 'UploadServlet' is installed by default which allows
anyone to upload a file to a directory outside the web root. This feature
can be combined with Bajie Http's poor CGI handling to execute arbitrary
PERL programs.



To demonstrate this threat, upload a PERL script using the following URL:



http://localhost/upload.html



The 'UploadServlet' servlet saves the uploaded file using the client's
hostname, IP address, and original file name. Fortunately, the servlet
responds with this new file name automatically. Type in the following URL to execute the program:



http://localhost/cgi/bin//...//upload/[file name]





Bajie Http does not check if a CGI program exists before executing the
PERL binary, therefore commands can be passed to a shell if the server is
running on a UNIX-based platform. This is done with the following URL:


http://localhost/cgi/bin/test.txt;%20[shell command]





Solution



First vulnerability:

Delete all unnecessary servlets. Edit the 'PERLEXECLOC=' line in the
'jzHttpSrv.properties' file to disable CGI support.



Vendor Status



The author, Gang Zhang, was initially contacted via
on Saturday, January 27, 2001. Gang verified the vulnerabilities and expressed a willingness to issue a fix. Almost three weeks have passed, and nothing has been released.





Posted by Joe Testa ( e-mail: [email protected] / AIM: LordSpankatron )


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »