Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

Mort Bay Information for VU#402580

Date Notified:
Date Updated:2009-05-01
Statement Date:2009-04-28
Status Summary:Vulnerable

Vendor Statement

A security vulnerability has been discovered in jetty that effects

    all version of Jetty up to and including jetty 6.1.16 and 7.0.0.M2
    On a vulnerable server, a crafted URL may access files outside of
    the web application or document tree.

    To be vulnerable to this issue, you must EITHER:

     - be using the DefaultServlet with support for aliases
       explicitly turned on.

       OR

     - be using the ResourceHandler class to serve static content.

    Furthermore, on unix systems, system are only vulnerable if a directory
    with a name ending with the character '?' to exist in the webapp or
    docroot. On unix, this is an unlikely situation.

    On windows systems, this directory does not need to exist, so the
    vulnerability requires only a single change from the default
    configuration.

    A 6.1.17 release will be available shortly with this vulnerability
    closed.  Some immediate preventative actions are listed below.

    If you are not using the ResourceHandler, then you should
    confirm that your jetty instance is running with
    the Default servlet "aliases" initParam set to "false".
    You will find this setting in either your application's
    web.xml or the etc/webdefault.xml. If it is not set,
    then it takes the default, safe, value of "false".
    You should also check that the org.mortbay.util.FileResource.checkAliases
    system property is either not set, or set to true.

    If you are using the ResourceHandler, then you can secure your
    system against this vulnerability by compiling the source
    at the bottom of this message against the version of Jetty
    that you are using.  Use an instance of this class instead
    of the ResourceHandler


    package org.mortbay.jetty.cert;
    import java.net.MalformedURLException;
    import org.mortbay.jetty.handler.ResourceHandler;
    import org.mortbay.resource.Resource;
    import org.mortbay.util.StringUtil;
    import org.mortbay.util.URIUtil;
    public class TempFixResourceHandler extends ResourceHandler
    {
        public Resource getResource(String path) throws MalformedURLException
        {
            if (path!=null && path.indexOf('?')>=0)
            {
                path=URIUtil.decodePath(URIUtil.canonicalPath(StringUtil.replace(path,"?","%3F")));
                if (path==null)
                    return null;
            }
            return super.getResource(path);
        }
    }

    Vendor Information

    http://docs.codehaus.org/display/JETTY/Jetty+Security

http://jira.codehaus.org/browse/JETTY-1004

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information