Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Servlet Exec 5.0p06 File Retrieval

🗓️ 13 Aug 2010 00:00:00Reported by Stefano Di PaolaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 38 Views

Servlet Exec 5.0p06 File Retrieval Security Vulnerabilities Advisor

Code
`Minded Security Labs: Advisory #MSA260209  
Servlet Exec Multiple Security Issues  
  
Tested Versions:   
Servlet Exec 5.0p06 on Microsoft IIS 6.0  
  
  
Minded Security ReferenceID:  
MSA260209  
  
  
Credits:  
Discovery by  
Stefano Di Paola and Giorgio Fedon of Minded Security  
Stefano Di Paola stefano.dipaola [_at_] mindedsecurity.com discovered the   
first issue (Path Traversal) and   
Giorgio Fedon giorgio.fedon [_at_] mindedsecurity.com discovered the second   
issue (Authentication Bypass)  
  
  
Severity:   
High: Attackers may be able to read application secrets stored in configuration  
files or to bypass authentication on the Servlet Exec administrative interface.  
  
  
Solution:   
Update your installation with July 2010 hotfix:  
http://www.newatlanta.com/c/products/servletexec/download/hotfix/showHotfixes  
  
  
Summary  
  
Minded Security Consultants discovered during a penetration testing activity that   
New Atlanta Servlet Exec may permit to read system configuration files or to get   
access to system information without valid credentials.  
  
  
Analysis  
  
  
First Issue: Path Traversal  
Minded Security consultants were able to access arbitrary files on servlet exec   
system path by abusing a flaw in the administration help of the ServletExec platform.  
Infact, by requesting the following url:  
  
http://<webserver>/servlet/pagecompile._admin._help._helpContent_xjsp?  
page=../../WEB-INF/web.xml  
  
It's possible to download the "web.xml" file of an application.  
  
  
  
Second issue: Authentication Bypass  
Furthermore we discovered that some functionalities of the Servlet Exec   
Administrative Interface can be accessed without any valid user credential.  
By supplying a properly crafted request to the Servlet interface, it's possible   
to have direct access to precompiled JSP pages stored inside the "Servlet Exec   
Admin" package.  
The following request will display the login interface:  
  
http://<webserver>/servlet/pagecompile._admin._login_xjsp  
  
It's very important to observe that a direct access to "Servlet Exec   
Administrative" functionalities, may lead to a full system compromise, if the   
attacker is be able to deploy his own malicious code on the protected environment.  
The following request will show the system properties:  
  
http://<webserver>/servlet/pagecompile._admin._vmSystemProperties_xjsp  
  
Other examples include, for example, the unauthorized access to the   
"Log Configuration":  
  
http://<webserver>/servlet/pagecompile._admin._SELogging_xjsp  
  
Unauthorized access to Administrative User Management panel:  
  
http://<webserver>/servlet/pagecompile._admin._userMgt_xjsp  
  
Access to virtual server management:  
  
http://<webserver>/servlet/pagecompile._admin._virtualServers_xjsp  
  
Access to Admin Optional packages configuration section:  
  
http://<webserver>/servlet/pagecompile._admin._optionalPackages_xjsp  
  
Access to Data Sources configuration section:  
  
http://<webserver>/servlet/pagecompile._admin._dataSources_xjsp  
  
Access to Admin Debug configuration section:  
  
http://<webserver>/servlet/pagecompile._admin._debug_xjsp  
  
  
  
Disclosure Timeline  
  
26/02/2009 Issue found  
29/04/2010 Reported to Vendor  
  
  
Disclaimer  
  
  
The information within this paper may change without notice. Use  
of this information constitutes acceptance for use in an AS IS  
condition. There are NO warranties with regard to this information.  
  
In no event shall the author be liable for any damages whatsoever   
arising out of or in connection with the use or spread of this   
information.  
  
Any use of this information is at the user's own risk.  
Permission is hereby granted for the redistribution of this Alert  
electronically. It is not to be edited in any way without express  
consent of Minded Security Research Lab. If you wish to reprint the  
whole or any part of this Alert in any other medium excluding  
electronic medium, please e-mail research_at_mindedsecurity.com   
for permission.  
  
  
  
Copyright (c) 2010 Minded Security, S.r.l..  
  
All rights reserved worldwide.  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Aug 2010 00:00Current
0.1Low risk
Vulners AI Score0.1
servlet execminded securityfile retrievalpath traversalauthentication bypasssystem compromisesecurity issueadministrative interfacehotfixdisclosure timeline
38