Lucene search
K

jspwiki-multi.txt

🗓️ 14 Feb 2008 00:00:00Reported by Moshe BAType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 38 Views

JSPWiki v2.4.104 and v2.5.139 Multiple Vulnerabilities in Local File Inclusion and Cross-Site Scriptin

Code
`_*JSPWiki Multiple Vulnerabilities*_  
  
*__**_  
Vendor:  
_*Janne Jalkanen JSPWiki – http://www.jspwiki.org   
<http://www.jspwiki.org/>*_  
  
Application Description:  
_*From JSPWiki website - “JSPWiki is a feature-rich and extensible   
WikiWiki engine built around a standart J2EE components (Java, servlets,   
JSP).”  
  
*_Tested versions:  
_*JSPWiki v2.4.104  
JSPWiki v2.5.139  
/Earlier versions may also be affected.  
/*_  
JSPWiki Local .jsp File Inclusion Vulnerability  
_*An input validation problem exists within JSPWiki which allows to   
execute (include) arbitrary local .jsp files. An attacker may leverage   
this issue to execute arbitrary server-side script code on a vulnerable   
server with the privileges of the web server process.  
  
/Example (including //rss.jsp// file from the application root directory):/  
  
http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss   
<http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss>  
  
/Note: //page// parameter must be an existing page on the server./  
  
This grants an attacker unauthorized access to sensitive .jsp files on   
the server and can lead to information disclosure.  
  
/Examples:/  
  
http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install   
<http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install>  
  
http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig   
<http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig>  
  
The first example disclose sensitive information such as the full path   
of the application on the server, page (and attachments) storage path,   
log files and work directory by including the application installation   
(Install.jsp).  
  
The second example disclose the application security configurations by   
including the JSPWiki Security Configuration Verifier file   
(admin/SecurityConfig.jsp).  
  
In addition, JSPWiki allow users to upload (attach) files to entry   
pages. An attacker can use the information disclosed by the installation   
file to upload a malicious .jsp file and locally execute it.  
  
_By executing malicious server-side code, an attacker may be able to   
compromise the server._  
  
*_JSPWiki Cross-Site Scripting Vulnerability  
_*An attacker may leverage cross-site scripting vulnerability to have   
arbitrary script code executed in the browser of an unsuspecting user in   
the context of the affected site. This may facilitate the theft of   
cookie-based authentication credentials as well as other attacks.  
  
/Example:/  
  
http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert(document.cookie)%3C/script%3E   
<http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E>  
  
_*Original Document:  
*http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0   
<http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0>  
_  
*_Download PDF:  
_*http://www.bugsec.com/up_files/JSPWiki_Multiple_Vulnerabilities.pdf  
*_  
_*  
  
*_Credit:  
_*Moshe BA  
BugSec LTD. - Security Consulting Company  
Tel: +972-3-9622655  
Fax: +972-3-9511433  
Email: Info -at- BugSec -d0t- com  
http://www.bugsec.com <http://www.bugsec.com/>  
  
--   
Moshe :: Trancer  
0nly Human.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation