iDefense Security Advisory 06.03.08 - Remote exploitation of multiple directory traversal vulnerabilities in Sun Microsystem's Java System Active Server Pages allows attackers to obtain the contents of, and delete, sensitive files on the system. Both vulnerabilities exist within ASP applications included with the product. When accessed via the administration server, the ASP engine does not prevent directory traversal using the "../" construct. By supplying a specially crafted HTTP request to one of the affected ASP applications, an attacker is able to read from arbitrary files. One of the applications will disclose only the first and third lines of the file. Once the application is finished processing the file, it will delete it. iDefense has confirmed the existence of these vulnerabilities within version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server Pages. Older versions are suspected to be vulnerable.
06339fb58e85c14dade0d0848d5a3801cfdec62e2742d377201912f9e58723d2
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed