| VID |
21201 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
Unify's eWave ServletExec is a JSP (Java Server Pages) and a Java Servlet engine which is used as a plug-in to popular web servers like Apache, IIS, Netscape, etc.
eWave ServletExec version 3.0C and earlier contains a "UploadServlet" servlet, which could allow a remote attacker to upload arbitrary files on the server. An attacker could request a URL that contains "/servlet/com.unify.ewave.servletexec.UploadServlet" in the path to invoke the "UploadServlet" servlet. An attacker can use this to upload arbitrary files, and execute them on the server.
* References:
http://www.iss.net/security_center/static/5450.php
http://www.servletexec.com/downloads/ |
| Recommendation |
Upgrade to the latest version of eWave ServletExec (3.0E or later) when it becomes available from the Unify eWave ServletExec Web site. See References. |
| Related URL |
CVE-2000-1024 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
