[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Unify eWave ServletExec upload

Title: Unify eWave ServletExec upload
Released by: Foundstone
Date: 31st October 2000
Printable version: Click here
                            Foundstone, Inc.


                      "Securing the Dot Com World"

                           Security Advisory

                      Unify eWave ServletExec upload


FS Advisory ID:         FS-103100-16-SRVX

Release Date:           October 31, 2000

Product:                Unify eWave ServletExec 3.0C

Vendor:                 Unify Corp.


Type:                   Uploading arbitrary files leading to remote

                        command execution.

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Saumil Shah (saumil.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems supported by ServletExec

Vulnerable versions:    Unify eWave ServletExec 3.0C

Foundstone Advisory:    http://www.foundstone.com/advisories.htm



        Unify's eWave ServletExec is a JSP and a Java Servlet engine

        which is used as a plug-in to popular web servers like

        Apache, IIS, Netscape, etc.

        ServletExec has a servlet called "UploadServlet" in its server

        side classes. UploadServlet, when invokable, allows an

        attacker to upload any file to any directory on the server. The

        uploaded file may have code that can later be executed on the

        server, leading to remote command execution.


        ServletExec has com.unify.ewave.servletexec.UploadServlet residing

        in its server side classes. Even though this servlet is not

        registered, it can be invoked on the server side by the following

        HTTP requests:

        nc 80

        GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0


        An attacker can create an HTML form on his or her local system

        to use this servlet to upload arbitrary files on to the server.

        A sample of such a form is given below:

" target="_new">'>

Upload Directory:

File to Upload:

Using this upload form, an attacker can upload a file, for example a JSP file, that can run arbitrary commands on the server side. Solution Upgrade to ServletExec version 3.0E, available at: http://www.servletexec.com/downloads/ Please contact the vendor for further details at info@unify.com or Unify Sales at 1-800-248-6439 Credits We would like to thank Unify for their prompt reaction to this problem and their co-operation in heightening awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.

(C) 1999-2000 All rights reserved.