lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47B358EC.7010304@Gmail.com>
Date: Wed, 13 Feb 2008 22:54:04 +0200
From: Trancer <mtrancer@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: JSPWiki Multiple Vulnerabilities

_*JSPWiki Multiple Vulnerabilities*_

*__**_
Vendor:
_*Janne Jalkanen JSPWiki – http://www.jspwiki.org 
<http://www.jspwiki.org/>*_

Application Description:
_*From JSPWiki website - “JSPWiki is a feature-rich and extensible 
WikiWiki engine built around a standart J2EE components (Java, servlets, 
JSP).”

*_Tested versions:
_*JSPWiki v2.4.104
JSPWiki v2.5.139
/Earlier versions may also be affected.
/*_
JSPWiki Local .jsp File Inclusion Vulnerability
_*An input validation problem exists within JSPWiki which allows to 
execute (include) arbitrary local .jsp files. An attacker may leverage 
this issue to execute arbitrary server-side script code on a vulnerable 
server with the privileges of the web server process.

/Example (including //rss.jsp// file from the application root directory):/

http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss 
<http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss>

/Note: //page// parameter must be an existing page on the server./

This grants an attacker unauthorized access to sensitive .jsp files on 
the server and can lead to information disclosure.

/Examples:/

http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install 
<http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install>

http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig 
<http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig>

The first example disclose sensitive information such as the full path 
of the application on the server, page (and attachments) storage path, 
log files and work directory by including the application installation 
(Install.jsp).

The second example disclose the application security configurations by 
including the JSPWiki Security Configuration Verifier file 
(admin/SecurityConfig.jsp).

In addition, JSPWiki allow users to upload (attach) files to entry 
pages. An attacker can use the information disclosed by the installation 
file to upload a malicious .jsp file and locally execute it.

_By executing malicious server-side code, an attacker may be able to 
compromise the server._

 *_JSPWiki Cross-Site Scripting Vulnerability
_*An attacker may leverage cross-site scripting vulnerability to have 
arbitrary script code executed in the browser of an unsuspecting user in 
the context of the affected site. This may facilitate the theft of 
cookie-based authentication credentials as well as other attacks.

 /Example:/

http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert(document.cookie)%3C/script%3E 
<http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E>

_*Original Document:
*http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0 
<http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0>
_
*_Download PDF:
_*http://www.bugsec.com/up_files/JSPWiki_Multiple_Vulnerabilities.pdf
*_
_*

*_Credit:
_*Moshe BA
BugSec LTD. - Security Consulting Company
Tel: +972-3-9622655
Fax: +972-3-9511433
Email: Info -at- BugSec -d0t- com
http://www.bugsec.com <http://www.bugsec.com/>

-- 
Moshe :: Trancer
0nly Human.


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ