Title: Sun Java Web Server Web Admin / Bullettin Board Vulnerability
Severity: HIGH
Description:
The Java Web Server includes two features that when used together can be made to execute arbitrary code at the privilege level of the server.
The Web Administration module listens on port 9090 for administrative commands via http. By using the /servlet/ prefix, it is possible for a remote user to point the servlet "com.sun.server.http.pagecompile.jsp92.JspServlet" to any file in or below the administration webroot for compilation and execution.
The server also includes a sample application that provides bullettin board functionality. This application usesthe file board.html in the webroot to store all posted messages. Code can be entered as a posted message through the file /examples/applications/bboard/bboard_frames.html and will then be stored as part of board.html .
Therefore, it is possible for a remote user to inject JSP code into board.html, and then have the server execute it via the Administration module, using a URL like:
http:/target:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html
Affected Products:
- Sun Java Web Server 1.1.3
- Sun Java Web Server 2.0.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
