Home  Services  Contact  Projects  Whitepapers  Tools 


Usage of NULL-Bytes in Servlets or JSP´s (not really an advisory BUT ... !!!


problem description:
The Null-Byte (\000 | %00) can be used to do "classic"
traversal-attacks within Java-Servlets or Java-Server-Pages

Every "Program" that uses "File","RandomAccessFile" or similar Java-Classes
in combination with user-supplied params can be tricked into opening arbitrary
Files by inserting a NULL-Byte in handcrafted GET-Requests.

sample:
http://www.mungohost.com/servlet/ShowContent?c=../../../../../etc/passwd%00

(even if this servlet concats a file-extension
to the c-parameter passwd would be opened!)

RC-EOF


Home  Services  Contact  Projects  Whitepapers  Tools