<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<big><u><b>JSPWiki Multiple Vulnerabilities</b></u></big>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: Aharoni;"><o:p></o:p></span></p>
<p><strong><u><span
style="font-size: 10pt; color: black; font-family: Arial;"></span></u></strong><span
style="font-size: 10pt; color: black; font-family: Arial;"></span><strong><u><span
style="font-size: 10pt; color: black; font-family: Arial;"><br>
Vendor:<br>
</span></u></strong><span
style="font-size: 10pt; color: black; font-family: Arial;" lang="FI">Janne
Jalkanen JSPWiki – </span><span
style="font-size: 10pt; color: black; font-family: Arial;"><a
href="http://www.jspwiki.org/"><span style="" lang="FI">http://www.jspwiki.org</span></a></span><strong><u><span
style="font-size: 10pt; color: black; font-family: Arial;"><br>
<br>
Application Description:<br>
</span></u></strong><span
style="font-size: 10pt; color: black; font-family: Arial;">From
JSPWiki website - “JSPWiki is a feature-rich and extensible WikiWiki
engine built around a standart J2EE components (Java, servlets, JSP).”<br>
<br>
</span><strong><u><span
style="font-size: 10pt; color: black; font-family: Arial;">Tested
versions:<br>
</span></u></strong><span
style="font-size: 10pt; color: black; font-family: Arial;">JSPWiki
v2.4.104<br>
</span><span style="font-size: 10pt; color: black; font-family: Arial;">JSPWiki
v2.5.139<br>
</span><em><span
style="font-size: 10pt; color: black; font-family: Arial;">Earlier
versions may also be affected.<br>
</span></em><strong><u><span
style="font-size: 10pt; color: black; font-family: Arial;"><br>
JSPWiki Local .jsp File Inclusion Vulnerability<br>
</span></u></strong><span
style="font-size: 10pt; color: black; font-family: Arial;">An input
validation problem exists within JSPWiki which allows to execute
(include) arbitrary local </span><span
style="font-size: 10pt; color: black; font-family: 'Courier New';">.jsp</span><span
style="font-size: 10pt; color: black; font-family: Arial;">
files. An attacker may leverage this issue to execute arbitrary
server-side script code on a vulnerable server with the privileges of
the web server process. <o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><em><span
style="font-size: 10pt; color: black; font-family: Arial;">Example
(including </span></em><em><span
style="font-size: 10pt; color: black; font-family: 'Courier New';">rss.jsp</span></em><em><span
style="font-size: 10pt; color: black; font-family: Arial;"> file from
the application root directory):<o:p></o:p></span></em></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: 'Courier New';"><a
href="http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss">http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss</a><o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><em><span
style="font-size: 10pt; color: black; font-family: Arial;">Note: </span></em><em><span
style="font-size: 10pt; color: black; font-family: 'Courier New';">page</span></em><em><span
style="font-size: 10pt; color: black; font-family: Arial;"> parameter
must be an existing page on the server.<o:p></o:p></span></em></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: Arial;">This grants
an attacker unauthorized access to sensitive </span><span
style="font-size: 10pt; color: black; font-family: 'Courier New';">.jsp</span><span
style="font-size: 10pt; color: black; font-family: Arial;"> files on
the server and can lead to information disclosure.<o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><em><span
style="font-size: 10pt; color: black; font-family: Arial;">Examples:<o:p></o:p></span></em></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span style="font-size: 10pt; font-family: 'Courier New';"><a
href="http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install">http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install</a><o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span style="font-size: 10pt; font-family: 'Courier New';"><a
href="http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig">http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig</a><o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: Arial;">The
first example disclose sensitive information such as the full path of
the application on the server, page (and attachments) storage path, log
files and work directory by including the application installation (</span><span
style="font-size: 10pt; color: black; font-family: 'Courier New';">Install.jsp</span><span
style="font-size: 10pt; color: black; font-family: Arial;">).<o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: Arial;">The
second example disclose the application security configurations by
including the JSPWiki Security Configuration Verifier file (</span><span
style="font-size: 10pt; color: black; font-family: 'Courier New';">admin/SecurityConfig.jsp</span><span
style="font-size: 10pt; color: black; font-family: Arial;">).<o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: Arial;">In
addition, JSPWiki allow users to upload (attach) files to entry pages.
An attacker can use the information disclosed by the installation file
to upload a malicious </span><span
style="font-size: 10pt; color: black; font-family: 'Courier New';">.jsp</span><span
style="font-size: 10pt; color: black; font-family: Arial;"> file and
locally execute it.<o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><u><span
style="font-size: 10pt; color: black; font-family: Arial;">By
executing malicious server-side code, an attacker may be able to
compromise the server.<o:p></o:p></span></u></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: Arial;"><o:p> </o:p></span><strong><u><span
style="font-size: 10pt; color: black; font-family: Arial;">JSPWiki
Cross-Site Scripting Vulnerability<br>
</span></u></strong><span
style="font-size: 10pt; color: black; font-family: Arial;">An
attacker may leverage cross-site scripting vulnerability to have
arbitrary script code executed in the browser of an unsuspecting user
in the context of the affected site. This may facilitate the theft of
cookie-based authentication credentials as well as other attacks.<o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: Arial;"><o:p> </o:p></span><em><span
style="font-size: 10pt; color: black; font-family: Arial;">Example:<o:p></o:p></span></em></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: 'Courier New';"><a
href="http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E">http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert(document.cookie)%3C/script%3E</a><o:p></o:p></span></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><span
style="font-size: 10pt; color: black; font-family: Arial;"><font
face="Arial"><u><strong>Original Document:<br>
</strong><font face="Arial"><font face="Arial"><a
href="http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0">http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0</a></font></font><br>
</u></font><br>
<strong><u>Download PDF:<br>
</u></strong><font face="Arial"><a
href="http://www.bugsec.com/up_files/JSPWiki_Multiple_Vulnerabilities.pdf">http://www.bugsec.com/up_files/JSPWiki_Multiple_Vulnerabilities.pdf</a></font><br>
</span><strong><u><span
style="font-size: 10pt; color: black; font-family: Arial;"><br>
</span></u></strong></p>
<p class="MsoNormal" dir="ltr"
style="direction: ltr; unicode-bidi: embed; text-align: left;"
align="left"><strong><u><span
style="font-size: 10pt; color: black; font-family: Arial;">Credit:<br>
</span></u></strong><span
style="font-size: 10pt; color: black; font-family: Arial;">Moshe BA<br>
</span><span style="font-size: 10pt; color: black; font-family: Arial;">BugSec
LTD. - Security Consulting Company<br>
</span><span style="font-size: 10pt; color: black; font-family: Arial;">Tel:
+972-3-9622655<br>
</span><span style="font-size: 10pt; color: black; font-family: Arial;">Fax:
+972-3-9511433<br>
</span><span style="font-size: 10pt; color: black; font-family: Arial;">Email:
Info -at- BugSec -d0t- com<br>
</span><span style="font-size: 10pt; color: black; font-family: Arial;"><a
href="http://www.bugsec.com/">http://www.bugsec.com</a></span></p>
<pre class="moz-signature" cols="72">--
Moshe :: Trancer
0nly Human.</pre>
</body>
</html>