| VID |
21203 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The 'bboard' servlet is installed in /servlet/sunexamples.BBoardServlet. The default configuration of Sun Java Web Server versions 2.0 and 1.1.3 could allow a remote attacker to execute arbitrary code as the user running the server. The Web Administration program allows a user to point a servlet to any file on the system to compile and execute. An attacker can use the sample bulletin board program that ships with the Java Web Server to post JSP (Java Server Pages) code, which can be executed using the WebAdmin utility.
* References:
http://www.iss.net/security_center/static/5135.php
http://www.securityfocus.com/bid/1459 |
| Recommendation |
Apply the appropriate patch for your system from the following URLs:
Version 1.1.3 : http://java.sun.com/products/java-server/jws113patch3.html
Version 2.0 : http://java.sun.com/products/java-server/jws20patch3.html
And a temporary fix is available from Sun's Java Web Server FAQ at:
http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html
This issue can be removed by simply removing the examples in the examples directory which is described in the document. |
| Related URL |
CVE-2000-0629 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
