TmaxSoft JEUS Alternate Data Streams File Disclosure Vulnerability
2008-12-12 21:30:02Title: TmaxSoft JEUS Alternate Data Streams VulnerabilityAuthor: Simon Ryeo(bar4mi (at) gmail)Severity: HighImpact: Remote File DisclosureVulnerable Version: < JEUS 5: Fix#26 on NTFSReferences: - http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx - http://www.tmaxsoft.com - http://www.tmax.co.kr/tmaxsoft/index.screenHistory: - 10.22.2008: Initiate notify - 10.23.2008: The vendor responded - 11.21.2008: The vendor replied detail information. - 12.12.2008: The vendor finished the preparation for patches andresponses.Description:On NTFS TmaxSoft JEUS, which is an famous web application server, containeda vulnerability that allows an attacker to obtain web application sourcefiles. This was caused by ADSs(Alternate Data Streams; ::$DATA).JEUS couldn't handle ::$DATA. So it treated test.jsp::$DATA as an normalfile when it requested.This is similar to the past MS Widnows IIS vulnerability(Bid 0149).Exploit:The attacker can obtain them easily using an URL request.http://www.target.com/foo/bar.jsp::$DATASolution:The vendor released solutions for this problem.Method 1) Upgrade JEUS - JEUS 5:http://technet.tmax.co.kr/kr/download/platformList.do?groupCode=WAS&productCode=Jeus&versionCode=5.0.0.26.P&fc=down&sc=down_product&mid=binary - JEUS 4: a. Use to change WebtoB function b. Upgrade JEUS to version 6 (the service for version 4 will be out ofservice after Dec 2009)Method 2) Use to change WebtoB fuction - Change the message communication method from 'URI' to 'EXT' (This is valid whether you use the embed WebtoB to JEUS or the singleWebtoB)Method 3) Install the patch (ex. jext.jar) - The patch file will be valid until Jan. 2009 (Target version: 3.3.7.15, 4.0, 4.1, 4.2 final, 5.x(each verison will beoffered below Fix#26)Please refer to TmaxSoft Homepage for detail support palns. It will bevalid until Mar. 2009.(http://www.tmaxsoft.com)#
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.