Apache Geronimo应用服务器多个输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117595 漏洞类型 路径遍历
发布时间 2009-04-16 更新时间 2009-04-28
CVE编号 CVE-2008-5518 CNNVD-ID CNNVD-200904-347
漏洞平台 Multiple CVSS评分 9.4
|漏洞来源
https://www.exploit-db.com/exploits/8458
https://cxsecurity.com/issue/WLB-2009040198
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-347
|漏洞详情
ApacheGeronimo是美国阿帕奇(Apache)软件基金会的一款开源的J2EE服务器产品,该产品具有可伸缩性、可进行配置管理等特点。ApacheGeronimoweb管理控制台的/console/portal/Server/Monitoring脚本没有正确的验证用户请求中的name、ip、username、description等参数,远程攻击者可以通过提交恶意请求执行跨站脚本或跨站请求伪造攻击;此外/console/portal//Services/Repository脚本没有正确地验证group、artifact、version、fileType参数,/console/portal/EmbeddedDB/DBManager脚本没有正确验证createDB参数,/console/portal//Security/Keystores/__pm0x3console-base0x2Keystores!824133314|0_view/__rp0x3console-base0x2Keystores!824133314|0_mode/createKeystore脚本没有正确验证filename参数,允许远程攻击者执行目录遍历攻击。
|漏洞EXP
Digital Security Research Group [DSecRG] Advisory       #DSECRG-09-018

Application:                Apache Geronimo Application Server
Versions Affected:          2.1 - 2.1.3
Vendor URL:                 http://geronimo.apache.org/
Bug:                        Directory Traversal File Upload
Exploits:                   YES
Reported:                   10.12.2008
Vendor response:            10.12.2008
Solution:                   YES
Date of Public Advisory:    16.04.2009
CVE-number:                 2008-5518
Author:                     Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)



Description
***********

Geronimo Server Console multiple Directory Traversal vulnerabilities.

A vulnerability was found in several portlets including Services/Repository, Embedded 
DB/DB Manager, and Security/Keystores when running on a Windows server.  This issue may 
allow a remote attacker to upload any file in any directory.

This affects all full JavaEE Geronimo releases or other distributions which include the 
administration web console up to and including Geronimo 2.1.3.



Details
*******

1. Directory Traversal vulnerability found in script /console/portal//Services/Repository

Vulnerable parameters: "group", "artifact", "version", "fileType".

This issue may allow attacker to upload any file to any directory at remote server.


2. Directory Traversal vulnerability found in script /console/portal/Embedded DB/DB Manager

Vulnerable parameter "createDB".


3. Directory Traversal vulnerability found in script

/console/portal//Security/Keystores/__pm0x3console-base0x2Keystores!824133314|0_view/__rp0x3console-base0x2Keystores!824133314|0_mode/createKeystore

Vulnerable parameter "filename".



Solution
********

This security vulnerabilities fixed in Geronimo 2.1.4 release.

New version of Geronimo 2.1.4 can be downloaded from this location:

http://geronimo.apache.org/downloads.html

An alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would 
be to stop or undeploy the administration web console application in the server.


Credits
*******

http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, 
audit and penetration testing services, risk analysis and ISMS-related services and certification for 
ISO/IEC 27001:2005 and PCI DSS standards.
Digital Security Research Group focuses on web application and database security problems with vulnerability 
reports, advisories and whitepapers posted regularly on our website.

Contact:    research [at] dsecrg [dot] com
            http://www.dsecrg.com
            http://www.dsec.ru

# milw0rm.com [2009-04-16]
|参考资料

来源:issues.apache.org
链接:http://issues.apache.org/jira/browse/GERONIMO-4597
来源:geronimo.apache.org
链接:http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214
来源:XF
名称:geronimo-keystores-directory-traversal(49900)
链接:http://xforce.iss.net/xforce/xfdb/49900
来源:XF
名称:geronimo-dbmanager-directory-traversal(49899)
链接:http://xforce.iss.net/xforce/xfdb/49899
来源:XF
名称:geronimo-repository-directory-traversal(49898)
链接:http://xforce.iss.net/xforce/xfdb/49898
来源:VUPEN
名称:ADV-2009-1089
链接:http://www.vupen.com/english/advisories/2009/1089
来源:BID
名称:34562
链接:http://www.securityfocus.com/bid/34562
来源:BUGTRAQ
名称:20090416[DSECRG-09-018]ApacheGeronimo-DirectoryTraversalvulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/502733/100/0/threaded
来源:MILW0RM
名称:8458
链接:http://www.milw0rm.com/exploits/8458
来源:SECUNIA
名称:34715
链接:http://secunia.com/advisories/34715
来源:MISC
链接:http://dsecrg.com/pages/vul/show.php?id=118