JavaServer Web Dev Kit Request Arbitrary File Access

2001-03-28T00:00:00
ID OSVDB:7708
Type osvdb
Reporter lovehacker(lovehacker@263.net)
Modified 2001-03-28T00:00:00

Description

Vulnerability Description

JavaServer Web Dev Kit contains a flaw that allows lead to an unauthorized information disclosure. The issue is due to the Javasever Web Dev Kit not properly sanitizing user input By sending a specifically crafted URL request with "dot dot" sequence(../../) via port 8080, a remote attacker can access unauthorized files, which leads to a loss of confidentiality.

Solution Description

Upgrade to version 1.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

JavaServer Web Dev Kit contains a flaw that allows lead to an unauthorized information disclosure. The issue is due to the Javasever Web Dev Kit not properly sanitizing user input By sending a specifically crafted URL request with "dot dot" sequence(../../) via port 8080, a remote attacker can access unauthorized files, which leads to a loss of confidentiality.

Manual Testing Notes

http://[victim]:8080/../examples//WEB-INF/../../../../../ http://[victim]:8080/../../../../etc/passwd

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-03/0437.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-08/0270.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-08/0277.html Keyword: Directory Traversal Keyword: JSWDK ISS X-Force ID: 6312 CVE-2001-0404