Westpoint Security Advisory Title: Jetty CGIServlet Arbitrary Command Execution Risk Rating: Medium Software: Jetty Servlet Container Platforms: Win32 (other platforms not tested) Vendor URL: www.mortbay.org Author: Matt Moore <matt@westpoint.ltd.uk> Date: 1st October 2002 Advisory ID#: wp-02-0011.txt Overview: ========= Jetty is a 100% Java HTTP Server and Servlet Container. A flaw in the CGIServlet allows an attacker to execute arbitrary commands on the server. Details: ======== Commands can be executed on the server by making requests like: http://jetty-server:8080/cgi-bin/..\..\..\..\..\..\winnt/notepad.exe Patch / Workaround Information: =============================== The vendor responded quickly and has released a fixed version, 4.1.0 which can be downloaded from http://jetty.mortbay.org Excerpt from Vendor announcement at: http://groups.yahoo.com/group/jetty-announce/message/45 '4.1.0 also contains a priority security fix for the CGI servlet running on windows platforms. This remotely exploitable problem effects all previous versions of Jetty that use the CGI servlet on windows without a permissions file configured for the context. The CGI servlet from 4.1.0 may be used in 4.0 releases.' This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0011.txt