wp-02-0011: Jetty CGIServlet Arbitrary Command Execution

[Matt Moore <matt () westpoint ltd uk>]

Westpoint Security Advisory

Title:        Jetty CGIServlet Arbitrary Command Execution
Risk Rating:  Medium
Software:     Jetty Servlet Container
Platforms:    Win32 (other platforms not tested)
Vendor URL:   www.mortbay.org
Author:       Matt Moore <matt () westpoint ltd uk>
Date:         1st October 2002
Advisory ID#: wp-02-0011.txt

Overview:
=========
Jetty is a 100% Java HTTP Server and Servlet Container. A flaw
in the CGIServlet allows an attacker to execute arbitrary commands
on the server.

Details:
========

Commands can be executed on the server by making requests like:

http://jetty-server:8080/cgi-bin/..\..\..\..\..\..\winnt/notepad.exe

Patch / Workaround Information:
===============================

The vendor responded quickly and has released a fixed version, 4.1.0
which can be downloaded from http://jetty.mortbay.org

Excerpt from Vendor announcement at:

http://groups.yahoo.com/group/jetty-announce/message/45

'4.1.0 also contains a priority security fix for the CGI servlet
running on windows platforms. This remotely exploitable problem
effects all previous versions of Jetty that use the CGI servlet
on windows without a permissions file configured for the context.
The CGI servlet from 4.1.0 may be used in 4.0 releases.'

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0011.txt