The response contains the contents of the "win.ini" file, proving that the server allows remote users to download the contents of system files. X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/Oracle Corporation/1.8) Server: GlassFish Server Open Source Edition 4.1 Issuing a specially crafted HTTP GET request utilizing a simple bypass, The authenticated Directory Traversal vulnerability can be exploited by #Proof of Concept on Microsoft Windows installation This vulnerability can be exploited by remote attackers toĪccess sensitive data on the server being authenticated.Ĭredit: Piotr Karolak of Trustwave's SpiderLabs The Administration Console of Oracle GlassFish Server, which is listeningīy default on port 4848/TCP, is prone to a directory traversal That is completely supported for commercial deployment and is available as It provides a small footprint, fully featured Java EE application server Server delivers a flexible, lightweight and extensible Java EE 6 platform. Product: GlassFish Server Open Source Editionīuilt using the GlassFish Server Open Source Edition, Oracle GlassFish Vendor: Oracle Corporation (Project sponsored by Oracle) Path Traversal in Oracle GlassFish Server Open Source Edition Trustwave SpiderLabs Security Advisory TWSL2015-016:
0 Comments
Leave a Reply. |