portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David S Taylor <da...@bluesunrise.com>
Subject [CVE-2016-0709] Apache Jetspeed information disclosure vulnerability
Date Thu, 03 Mar 2016 21:16:00 GMT
CVE-2016-0709: Code execution via ZIP file path traversal

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.2.0 to 2.2.2
Jetspeed 2.3.0
The unsupported Jetspeed 2.1.x versions may be also affected

Description:
The Import/Export function in the Portal Site Manager, part of the Jetspeed Administrative
Portlets, is vulnerable to a path traversal via specially crafted file names in ZIP archives.
Any user with permission to upload files via this function can upload a file with a name like
"../../../../tmp/foo" to write a file named "foo" in the /tmp directory. This is because the
code that performs the unzipping of the archive does not check the validity of the file names
before writing them to disk. This can be turned into code execution by uploading a .jsp file
and writing it to somewhere on the file system where the web server will execute it when visited

Mitigation:
2.2.0 - 2.3.0 users should upgrade to 2.3.1

Credit:
This issue was discovered by ´╗┐Andreas Lindh

References:
http://tomcat.apache.org/security.html <http://tomcat.apache.org/security.html>




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message