COMMAND

    Jana

SYSTEMS AFFECTED

    Jana Webserver v1.45, 1.46, 2.0Beta1

PROBLEM

    Following is the contin. of previous "Jana chapter" available at:

        http://oliver.efri.hr/~crv/security/bugs/Others/jana2.html

    This input was made  by nemesystm of the  DHC.  Jana Webserver  is
    well, a webserver.  It has a hex-encoded dot dot bug and a  denial
    of service.

    Tested to be vulnerable to the hex-encoded dot dot bug are:
    - Jana Webserver v1.45
    - Jana Webserver v1.46

    All older versions are assumed to be vulnerable as well.

    Tested to be vulnerable to the denial of service are:
    - Jana Webserver v1.45
    - Jana Webserver v1.46
    - Jana Webserver v2.0 Beta 1

    All older versions are assumed to be vulnerable as well.

    To test this vulnerability, try the following:

        www.server.com/%2e%2e/%2e%2e/%2e%2e/scandisk.log

    Add  or  remove  %2e%2e/'s  to  reflect  the  directory  Jana  was
    installed in.  The denial of service can be tested by requesting

        www.server.com/aux

SOLUTION

    This is fixed in the next release of Jana.