exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

servletexec-4.1.txt

servletexec-4.1.txt
Posted May 24, 2002
Authored by Matt Moore | Site westpoint.ltd.uk

NewAtlanta ServletExec ISAPI v4.1 contains three vulnerabilities. Remote users can read any file in the webroot, crash the server, and display the physical path of the web root. Patch available here.

tags | exploit, remote, web, root, vulnerability
SHA-256 | fc28cc03d24fa98eb266f32deaf3daa32abc63bfc958831609ba5849b34c2d4a

servletexec-4.1.txt

Change Mirror Download
Westpoint Security Advisory

Title: Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Risk Rating: High
Software: ServletExec 4.1 ISAPI / IIS 4 & 5
Platforms: Win2k / WinNT 4
Vendor URL: www.newatlanta.com
Author: Matt Moore <matt@Westpoint.ltd.uk>
Date: 22 May 2002
Advisory ID#: wp-02-0006.txt

Overview:
=========

ServletExec 4.1 ISAPI is a Java Servlet/JSP Engine for Internet Information
Server and is implemented as an ISAPI filter.
The JSP functionality is provided by a servlet which is enabled by default
and contains three security flaws.

Details:
========

1. ServletExec discloses physical path of webroot
=================================================

It is possible to invoke the class 'com.newatlanta.servletexec.JSP10Servlet'
directly by requesting a url such as:

/servlet/com.newatlanta.servletexec.JSP10Servlet/

If no filename is supplied to it, then it returns an error message:

Error. The file was not found. (filename =
f:\inetpub\wwwroot\servlet\com.newatlanta.servletexec.JSP10Servlet\)

disclosing the physical path of the web root.

2. JSP10Servlet allows files to be read from within IIS webroot
===============================================================

By invoking the JSP10Servlet (or simply JSPServlet) using the URL described
above, it is possible to read files from within the web root.
It did not appear to be possible to 'break out' of the web root and read
files from other parts of the file system.
The path must be URL encoded for this to work. For instance, a request such
as

/servlet/com.newatlanta.servletexec.JSP10Servlet/..%5c..%5c\global.asa

will retrieve the global.asa file, which is normally not served.

3. DoS via overly long request for .JSP file
============================================

By making a request for an overly long named .jsp file, Internet Information
Server can be crashed.

The denial of service condition can be triggered by either requesting an
overly long named .jsp file:

i.e. /servlet/AAAAAAAAAAAAAAA....AAAAAAAAAAAAAA.jsp

or by invoking the JSPServlet or JSP10Servlet directly:

or/servlet/com.newatlanta.servletexec.JSPServlet/AAAAAAAA....AAAA

Patch Information:
==================

There is a workaround for the physical path disclosure bug, which should be
in the FAQ's at
http://www.newatlanta.com/products/servletexec/self_help/faq_list.jsp

The other issues are fixed in Patch #9 from
ftp://ftp.newatlanta.com/public/4_1/patches/

Additional Information
======================

Nessus plugins are available to test for the vulnerabilities identified
above, from www.nessus.org:

servletExec_DoS.nasl (ID 10958)
ServletExec_File_Reading.nasl (ID 10959)
ServletExec_path_disclosure.nasl (ID 10960)

www.westpoint.ltd.uk/advisories/wp-02-0006.txt

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close