Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerabilities in Bajie Http JServer

From: joetesta () HUSHMAIL COM
Date: Thu, 15 Feb 2001 20:27:54 -0800
----- Begin Hush Signed Message from joetesta () hushmail com -----

Vulnerabilities in Bajie Http JServer



    Overview

Bajie Http JServer v0.78 is a Java web server available from
http://go.to/bajie and http://java.tucows.com.  A vulnerability exists
which allows a remote attacker to execute any CGI script on the file
system by using relative paths (ie: '..', '...').

In addition, arbitrary shell commands can be executed if the server is
UNIX-based.



    Details

A servlet named 'UploadServlet' is installed by default which allows
anyone to upload a file to a directory outside the web root.  This feature
can be combined with Bajie Http's poor CGI handling to execute arbitrary
PERL programs.

To demonstrate this threat, upload a PERL script using the following URL:

        http://localhost/upload.html

The 'UploadServlet' servlet saves the uploaded file using the client's
hostname, IP address, and original file name.  Fortunately, the servlet
responds with this new file name automatically.  Type in the following URL
to execute the program:

        http://localhost/cgi/bin//...//upload/[file name]



Bajie Http does not check if a CGI program exists before executing the
PERL binary, therefore commands can be passed to a shell if the server is
running on a UNIX-based platform.  This is done with the following URL:

        http://localhost/cgi/bin/test.txt;%20[shell command]



    Solution

First vulnerability:
    Delete all unnecessary servlets.  Edit the 'PERLEXECLOC=' line in the
'jzHttpSrv.properties' file to disable CGI support.

Second vulnerability:
    None.




    Vendor Status

    The author, Gang Zhang, was initially contacted via
<gzhangx () hotmail com> on Saturday, January 27, 2001.  Gang verified the
vulnerabilities and expressed a willingness to issue a fix.  Almost three
weeks have passed, and nothing has been released.



    - Joe Testa  ( e-mail: joetesta () hushmail com / AIM: LordSpankatron )


----- Begin Hush Signature v1.3 -----
Hpcq51thWehPYBFyGd6HDfCnQ99EAqSme8Vwa7cz3aoMSMPMacq3Ex+1IA6+8s1kw/xr
WwLAemxNnR1toIh9geTpOASqGBrCNhMBBc23AUhdQSs4nZk48CM2zek7V2jz0fXls2Ox
ahn5F/A2qkZnq1hIfIMZLt5NG106VI2rQbu6AgDo1kzD7VSZLdF0n7s3kJwcRTCexByQ
jtxjCCoP25R9j1WYARl5zlBr2ulwsa9eOz/9UWl/Gq8kGB+CtdNpxSFIoxgO1wu68xY/
fZzicm3uqRyVPpNPpfkCZqmBvdwOpDb03RWL3JkGzzP2s15txISJ31N7IFs8gHLT/6xi
eqciatOeTUSPuXWxRqykspEVDcD/e3ku+CR+4eYWOCO1b//P8fu5EBNxEYJy4yOtc+3V
uRmBfz/G3WZNM/eoyVjd0kNlXiXTNI4o9MwwYVpT3MsQsEGFuJxowsUNmyYkl7jER1X+
+JKO6ti46HP7KkArhVB960kFMQCqKfhBzfZ0MYmWDmVf
----- End Hush Signature v1.3 -----
\n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to 
www.hush.com/tools\n\n
Previous By Date Next
Previous By Thread Next

Current thread: