geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jericho escobar" <>
Subject Jetty 4.2.12 CVE ID:CAN-2002-1562 vulnerability?
Date Mon, 07 Jun 2004 04:35:43 GMT
<P>I'm not sure if this is the right mailing list but I couldn't find anything on Google
about this announcement.</P>
<P>The version in question is Jetty 4.2.12 integrated with JBoss 3.2.2.</P>
<P>According to the advisory, "<!--StartFragment --> an attacker can gain access
to arbitrary files on the remote system with the privileges of the Web server process. This
could lead to more serious attacks, depending on the information gathered. "</P>
<P>A test ...<BR><BR>telnet localhost 443<BR>GET / HTTP/1.1 <BR>Host:
ayanami:443/../ayanami:443 <BR><BR>HTTP/1.1 200 OK <BR>Date: Tue, 18 May
2004 03:05:11 GMT <BR>Server: Jetty/4.2.12 (SunOS/5.9 sparc java/1.4.2_02) <BR>Content-Type:
text/html;charset=ISO-8859-1 <BR>Set-Cookie: JSESSIONID=de31lw5g7eal;path=/ <BR>Transfer-Encoding:
chunked </P>
<P>&lt;html&gt;<BR>&lt;body&gt;<BR>Hello world<BR>&lt;/body&gt;<BR>&lt;/html&gt;<BR><BR>In
this example, Jetty returned the contents of ROOT.ear. Should Jetty throw a different error
code rather than a 200? </P>
<P>Thanks in advance.<BR><BR>~J</P><BR>
<p>___________________________________________________________<br>Sign-up for
Ads Free at<br>
<a href=""

View raw message