COMMAND

    JServer

SYSTEMS AFFECTED

    Bajie Http JServer

PROBLEM

    Joe Testa  found following.   Bajie Http  JServer v0.78  is a Java
    web server.  A vulnerability exists which allows a remote attacker
    to execute  any CGI  script on  the file  system by using relative
    paths (ie: '..',  '...').  In  addition, arbitrary shell  commands
    can be executed if the server is UNIX-based.

    A  servlet  named  'UploadServlet'  is  installed by default which
    allows anyone  to upload  a file  to a  directory outside  the web
    root.   This feature  can be  combined with  Bajie Http's poor CGI
    handling to execute arbitrary PERL programs.  To demonstrate  this
    threat, upload a PERL script using the following URL:

        http://localhost/upload.html

    The  'UploadServlet'  servlet  saves  the  uploaded file using the
    client's   hostname,   IP   address,   and   original  file  name.
    Fortunately,  the  servlet  responds  with  this  new  file   name
    automatically.  Type in the following URL to execute the program:

        http://localhost/cgi/bin//...//upload/[file name]

    Bajie Http does not check if a CGI program exists before executing
    the PERL binary,  therefore commands can  be passed to  a shell if
    the server is running on a UNIX-based platform.  This is done with
    the following URL:

        http://localhost/cgi/bin/test.txt;%20[shell command]

SOLUTION

    For first  vulnerability, delete  all unnecessary  servlets.  Edit
    the  'PERLEXECLOC='  line  in  the  'jzHttpSrv.properties' file to
    disable  CGI  support.   As  for  second vulnerability, there's no
    solution.

    The author, Gang Zhang, was  contacted on January 27, 2001.   Gang
    verified the vulnerabilities and expressed a willingness to  issue
    a fix.