From user-return-3-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Mon Jun 07 04:35:58 2004 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 28671 invoked from network); 7 Jun 2004 04:35:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 7 Jun 2004 04:35:58 -0000 Received: (qmail 70280 invoked by uid 500); 7 Jun 2004 04:35:56 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 70196 invoked by uid 500); 7 Jun 2004 04:35:55 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: user@geronimo.apache.org Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 70176 invoked by uid 99); 7 Jun 2004 04:35:55 -0000 Received: from [205.158.62.67] (HELO webmail-outgoing.us4.outblaze.com) (205.158.62.67) by apache.org (qpsmtpd/0.27.1) with ESMTP; Sun, 06 Jun 2004 21:35:55 -0700 Received: from wfilter.us4.outblaze.com (wfilter.us4.outblaze.com [205.158.62.180]) by webmail-outgoing.us4.outblaze.com (Postfix) with QMQP id A0A4B180121E for ; Mon, 7 Jun 2004 04:35:43 +0000 (GMT) X-OB-Received: from unknown (205.158.62.50) by wfilter.us4.outblaze.com; 7 Jun 2004 04:35:07 -0000 Received: by ws1-4.us4.outblaze.com (Postfix, from userid 1001) id 8E44616402D; Mon, 7 Jun 2004 04:35:43 +0000 (GMT) Content-Type: text/html; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Received: from [192.150.10.200] by ws1-4.us4.outblaze.com with http for shinji_ikari@mail.com; Sun, 06 Jun 2004 23:35:43 -0500 From: "jericho escobar" To: user@geronimo.apache.org Date: Sun, 06 Jun 2004 23:35:43 -0500 Subject: Jetty 4.2.12 CVE ID:CAN-2002-1562 vulnerability? X-Originating-Ip: 192.150.10.200 X-Originating-Server: ws1-4.us4.outblaze.com Message-Id: <20040607043543.8E44616402D@ws1-4.us4.outblaze.com> X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

I'm not sure if this is the right mailing list but I couldn't find anything on Google about this announcement.

The version in question is Jetty 4.2.12 integrated with JBoss 3.2.2.

According to the advisory, " an attacker can gain access to arbitrary files on the remote system with the privileges of the Web server process. This could lead to more serious attacks, depending on the information gathered. "

A test ...

telnet localhost 443
GET / HTTP/1.1
Host: ayanami:443/../ayanami:443

HTTP/1.1 200 OK
Date: Tue, 18 May 2004 03:05:11 GMT
Server: Jetty/4.2.12 (SunOS/5.9 sparc java/1.4.2_02)
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=de31lw5g7eal;path=/
Transfer-Encoding: chunked

<html>
<body>
Hello world
</body>
</html>

In this example, Jetty returned the contents of ROOT.ear. Should Jetty throw a different error code rather than a 200?

Thanks in advance.

~J


--

___________________________________________________________
Sign-up for Ads Free at Mail.com
http://www.mail.com/?sr=signup