Executive Summary
Summary | |
---|---|
Title | Jetty HTTP server directory traversal vulnerability |
Informations | |||
---|---|---|---|
Name | VU#402580 | First vendor Publication | 2009-05-01 |
Vendor | VU-CERT | Last vendor Modification | 2009-05-01 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#402580Jetty HTTP server directory traversal vulnerabilityOverviewA vulnerability in the Jetty HTTP server could allow a remote attacker to gain access to files outside of the normal document tree.I. DescriptionJetty provides an HTTP server, HTTP client, and javax.servlet container. An error in the way canonical paths are interpreted in the HTTP server's URI handler results in a directory traversal vulnerability. This vulnerability affects all versions of Jetty up to and including jetty 6.1.16 and 7.0.0.M2. In order for a system to be vulnerable, it must either be using the DefaultServlet with support for aliases explicitly enabled or the ResourceHandler class to serve static content. The vendor reports that systems running Jetty on Unix-like operating systems must also contain a directory name ending a '?' character in the web application or document root in order to be vulnerable.II. ImpactA remote attacker can access files outside of the web application or document root by supplying a crafted URL to an vulnerable system.III. SolutionUpgrade or apply a patch from the vendorJetty version 6.1.17 has been published to address this vulnerability. Users are encouraged to upgrade to this version.
confirm that your jetty instance is running with the Default servlet "aliases" initParam set to "false". You will find this setting in either your application's web.xml or the etc/webdefault.xml. If it is not set, then it takes the default, safe, value of "false". You should also check that the org.mortbay.util.FileResource.checkAliases system property is either not set, or set to true. If you are using the ResourceHandler, then you can secure your system against this vulnerability by compiling the source at the bottom of this message against the version of Jetty that you are using. Use an instance of this class instead of the ResourceHandler package org.mortbay.jetty.cert; import java.net.MalformedURLException; import org.mortbay.jetty.handler.ResourceHandler; import org.mortbay.resource.Resource; import org.mortbay.util.StringUtil; import org.mortbay.util.URIUtil; public class TempFixResourceHandler extends ResourceHandler { public Resource getResource(String path) throws MalformedURLException { if (path!=null && path.indexOf('?')>=0) { path=URIUtil.decodePath(URIUtil.canonicalPath(StringUtil.replace(path,"?","%3F"))); if (path==null) return null; } return super.getResource(path); } } Systems AffectedSystems using Jetty versions 6.1.16 and earlier, and versions 7.0.0M2 and earlier.
References
Thanks to Greg Wilkins of Mort Bay Consulting for reporting this vulnerability. This document was written by Chad R Dougherty.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/402580 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-11-11 | Name : Mandriva Security Advisory MDVSA-2009:291 (jetty5) File : nvt/mdksa_2009_291.nasl |
2009-06-05 | Name : Fedora Core 9 FEDORA-2009-5500 (jetty) File : nvt/fcore_2009_5500.nasl |
2009-06-05 | Name : Fedora Core 11 FEDORA-2009-5509 (jetty) File : nvt/fcore_2009_5509.nasl |
2009-06-05 | Name : Fedora Core 10 FEDORA-2009-5513 (jetty) File : nvt/fcore_2009_5513.nasl |
2009-05-04 | Name : Jetty Cross Site Scripting and Information Disclosure Vulnerabilities File : nvt/jetty_34800.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
54186 | Jetty HTTP Server Document Root Traversal Arbitrary File Access Jetty contains a flaw that allows a remote attacker to access files outside of the web path. The issue is due to the ResourceHandler and DefaultServlet's alias handling not properly sanitizing user input, specifically directory traversal style attacks (../../). |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2011-02-17 | Name : The remote host has an update manager installed that is affected by multiple ... File : vmware_VMSA-2010-0012.nasl - Type : ACT_GATHER_INFO |
2010-07-29 | Name : The remote web server has a cross-site scripting vulnerability. File : vmware_vcenter_update_mgr_xss.nasl - Type : ACT_GATHER_INFO |
2009-11-11 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_jetty5-091109.nasl - Type : ACT_GATHER_INFO |
2009-10-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-291.nasl - Type : ACT_GATHER_INFO |
2009-05-27 | Name : The remote Fedora host is missing a security update. File : fedora_2009-5500.nasl - Type : ACT_GATHER_INFO |
2009-05-27 | Name : The remote Fedora host is missing a security update. File : fedora_2009-5509.nasl - Type : ACT_GATHER_INFO |
2009-05-27 | Name : The remote Fedora host is missing a security update. File : fedora_2009-5513.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-02-27 13:27:00 |
|
2014-02-17 12:07:48 |
|