JBoss DeploymentFileRepository katalogtraversering - Advisories

Software Inspectors

	Scan Online

	Personal (PSI)

	Network (NSI 2.0)

Solutions For

	Security Professionals

	Security Vendors

Free Solutions For

	Open Communities

	Journalists & Media

Secunia Advisories

	Search

	Historic Advisories

	Listed By Product

	Listed By Vendor

	Statistics / Graphs

	Secunia Research

	Report Vulnerability

	About Advisories

Virus Information

	Chronological List

	Last 10 Virus Alerts

	About Virus Information

Secunia Customers

	Customer Area

JBoss DeploymentFileRepository katalogtraversering

Secunia Advisory:	SA23095
Udsendt:	2006-11-28

Kritisk:	Moderat kritisk
Betydning:	Manipulation af data Afsløring af følsomme oplysninger Systemadgang
Hvor:	Fra Lokalt Netværk
Løsning Status:	Producent Patch

Software:	JBoss AS 3.x JBoss AS 4.x JBoss Web Services (JBossWS) 1.x

CVE reference:	CVE-2006-5750 (Secunia mirror)

	Want to know the next time vulnerabilities are fixed in this product? - Companies can be alerted via email and SMS!

Beskrivelse: Oliver Karow har rapporteret en sårbarhed i JBoss, som kan udnyttes af ondsindede brugere til at få kendskab til følsom information, manipulere data og potentielt kompromittere et sårbart system. Sårbarheden skyldes en inputvalideringsfejl i "setBaseDir()" metoden i org.jboss.console.manager.DeploymentFileRepository. Dette kan udnyttes til at læse, skrive og slette vilkårlige filer og potentielt eksekvere vilkårlig kode med rettigheder som JBoss-brugeren. Sårbarheden er rapporteret i JBoss Web Server 1.0.0.GA, men andre versioner kan også være berørte. Det rapporteres, at følgende versioner af JBoss Application Server er sårbare: * JBossAS-4.0.4.GA * JBossAS-4.0.3 SP1 * JBossAS-4.0.2 Final * JBossAS-3.2.7 Final * JBossAS-4.0.3 Final * JBossAS-4.0.1 SP1 * JBossAS-4.0.1 Final * JBossAS-4.0.0 Final * JBossAS-3.2.8.SP1 * JBossAS-3.2.8 Final * JBossAS-3.2.6 Final * JBossAS-3.2.5 Final Løsning: Installér patch: http://jira.jboss.com/jira/browse/ASPATCH-126 Rapporteret af / Kredit: Oliver Karow Original Advisory: Symantec: http://www.symantec.com/enterprise/research/SYMSA-2006-011.txt Andre Kilder: JBoss: http://jira.jboss.com/jira/browse/ASPATCH-126



Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

3 Relaterede Secunia Advisories

1. JBoss "org.jboss.web.WebServer" afsløring af information

2. JBoss HSQLDB database sårbarhed

3. JBoss afsløring af JSP-siders kildekode

Send Feedback to Secunia

Hvis du har ny information angående dette Secunia advisory eller et produkt i vores database, så send det venligst til os. Du kan sende det til os enten ved at bruge vores web formular eller ved at sende det til vuln@secunia.com. Ideer, foreslag og andet feedback er også meget velkommen.

Secunia PSI
Scan | Patch | Track
Free Download

Secunia Poll

Most Popular Advisories

1.	Novell eDirectory Multiple Vulnerabilities

2.	phpJobScheduler "installed_conf ig_file" File Inclusion Vulnerabilities

3.	HP TCP/IP Services for OpenVMS Finger Format String Vulnerability

4.	phpMyRealty "price_max" SQL Injection Vulnerability

5.	Adium MSN SLP Message Integer Overflow Vulnerabilities

6.	dotProject SQL Injection and Cross-Site Scripting

7.	IBM WebSphere Application Server for z/OS HTTP Server mod_proxy_ftp Vulnerability

8.	Blogn Cross-Site Scripting and Cross-Site Request Forgery

9.	Caudium "configvar" Insecure Temporary Files

10.	Red Hat update for libtiff