Auriemma Luigi, PivX security advisory
Application: Blazix (http://www.blazix.com) Version: 1.2 and previous Bug: Bad management of files requested with at the end some "bad" characters Risk (low): An attacker can view jsp and other server side scripts with the ability to access any password protected folders Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC e-mail: firstname.lastname@example.org
1) Introduction 2) Bug 3) The Code 4) Fix 5) Philosophy
Blazix is a commercial webserver totally written in Java. It has some feautures like the Ejb server (port 2050) and the admin server (port 3010) for change some parameters and for stop or restart the webserver. Some functions of this server are: Servlets 2.3 usage, ION, JMS, E-mail sending support, Cluster Management, Class Reloads, Automatic EJB Primary Keys generation, Virtual Hosting support and other.
The bug I want to describe is one of the most diffused problems in the current applications. It is the problem that have some operating sytems API that open files without checking some character that can be attached to the file name. In Blazix the "bad" characters are '+' and '\' (NOT %2b and %5c).
With this bug we can view all the server side scripts in it and, more dangerous, we have free access to the password protected folders.
Attention because the version 1.2.1 (released for some days) is still vulnerable to the "password protected folder access" (only the jsp view has been fixed in this release).
3) The Code
A] Jsp view examples:
B] Free protected folder access examples (bugtest is a folder that I have created and protected with a password):
If you don't have a protected folder you can quickly follow these simple steps:
a) make a new folder called bugtest in webfiles b) copy webfiles\index.html in webfiles\bugtest\index.html c) add "role.user.url: /bugtest/*" in web.ini file d) close and restart the web server for load the new settings
The Blazix team has patched the server and you can see your real version in the Readme.txt file in the Blazix folder (it is the ONLY place where is written the real version). Blazix 1.2.2 can be downloaded from its homepage:
I'm really hopeful about the FULL-DISCLOSURE policy, because with it "everyone" can know the real effects of an attack, the real danger of a bug, someone can learn a bit of creative programming (I have learned a bit of interesting C from the source code of some published exploits) and it's useful for all the people that are hopeful in this type of disclosure. No secrets!
About PivX Solutions PivX Solutions, is a premier network security consultancy offering a myriad of network security services to our clients, the most notable being our proprietary Risk and Vulnerability Assessment (RAVA). Dedicated PivX founders have also developed the patented Invisiwall network security device which offers the most comprehensive and secure intrusion detection system available.
For more information go to http://www.PivX.com
Any type of feedback is really welcome!
-- PivX Security Researcher