Vulnerabilities > CVE-2013-3827 - Directory Traversal vulnerability in Oracle JavaServer Faces

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
oracle
nessus
exploit available

Summary

Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.

Exploit-Db

descriptionOracle Glassfish Server 2.1.1/3.0.1 Multiple Subcomponent Resource Identifier Traversal Arbitrary File Access. CVE-2013-3827. Remote exploits for multiple pl...
idEDB-ID:38802
last seen2016-02-04
modified2013-10-15
published2013-10-15
reporterAlex Kouzemtchenko
sourcehttps://www.exploit-db.com/download/38802/
titleOracle Glassfish Server 2.1.1/3.0.1 Multiple Subcomponent Resource Identifier Traversal Arbitrary File Access

Nessus

  • NASL familyCGI abuses
    NASL idORACLE_JAVASERVER_FACES_DIRECTORY_TRAVERSAL.NASL
    descriptionThe remote web server contains a JavaServer Faces application that is affected by multiple partial directory traversal vulnerabilities : - A defect exists in the handling of a resource identifier that allows for directory traversal within the application. - A defect exists in the handling of a library name that allows for directory traversal within the application. Note that the application may also be affected by a ViewState HMAC non-constant verification weakness; however, Nessus has not tested for this. Note that this plugin will only report the first vulnerable application.
    last seen2020-06-01
    modified2020-06-02
    plugin id70963
    published2013-11-19
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70963
    titleOracle JavaServer Faces Multiple Partial Directory Traversals
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(70963);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/27");
    
      script_cve_id("CVE-2013-3827");
      script_bugtraq_id(63052);
      script_xref(name:"CERT", value:"526012");
    
      script_name(english:"Oracle JavaServer Faces Multiple Partial Directory Traversals");
      script_summary(english:"Tries to read an application's web.xml");
    
      script_set_attribute(attribute:"synopsis", value:
    "A Java application hosted on the remote web server is affected by
    multiple partial directory traversal vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote web server contains a JavaServer Faces application that is
    affected by multiple partial directory traversal vulnerabilities :
    
      - A defect exists in the handling of a resource identifier
        that allows for directory traversal within the
        application.
    
      - A defect exists in the handling of a library name that
        allows for directory traversal within the application.
    
    Note that the application may also be affected by a ViewState HMAC
    non-constant verification weakness; however, Nessus has not tested for
    this. 
    
    Note that this plugin will only report the first vulnerable
    application.");
      # http://security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5de4499a");
      # http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac29c174");
      script_set_attribute(attribute:"solution", value:
    "Install the patch per the instructions in the vendor's advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/10/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/19");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("http_version.nasl", "webmirror.nasl");
      script_require_ports("Services/www", 80, 8080);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("http.inc");
    include("misc_func.inc");
    include("webapp_func.inc");
    include("data_protection.inc");
    
    port = get_http_port(default:8080);
    cgis = get_kb_list_or_exit('www/' + port + '/cgi');
    
    urls = make_list();
    # To identify Java applications that we can test the exploit on
    # we will look for files with the .jsf suffix from the KB and
    # send the request to the application directory rather than the file itself
    foreach cgi (make_list(cgis))
    {
      match = eregmatch(pattern:"(^.*)(/.+\.(jsf))", string:cgi);
      if (match)
      {
        urls = make_list(urls, match[1]);
        if (!thorough_tests) break;
      }
    }
    if (max_index(urls) == 0) audit(AUDIT_WEB_FILES_NOT, "JavaServer Faces application", port);
    
    # Determine which traversal to test against target host
    paths = make_list('/javax.faces.resource.../WEB-INF/web.xml.jsf',
      '/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..');
    
    vuln = FALSE;
    
    foreach url (urls)
    {
      foreach path (paths)
      {
        vuln_url = url + path;
    
        res = http_send_recv3(
          method : "GET",
          port   : port,
          item   : vuln_url,
          exit_on_fail : TRUE
        );
    
        if (
           res[0] =~ "200 OK" &&
           "<web-app" >< res[2] &&
           "<servlet-class>javax.faces." >< res[2]
        )
        {
          vuln = TRUE;
          output = strstr(res[2], "<servlet-class>");
          if (isnull(output)) output = res[2];
          break;
        }
      }
      # Stop after first vulnerable web app is found
      if (vuln) break;
    }
    
    if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');
    
    if (report_verbosity > 0)
    {
      max = 10;
      snip =  '\n'+crap(data:"-", length:30)+" snip "+crap(data:"-", length:30);
      output = data_protection::sanitize_user_full_redaction(output:output);
      header =
        'Nessus was able to verify the issue exists using the following request';
      trailer =
        'This produced the following output (truncated to '+max+' lines) :'+
        '\n' + snip + '\n' +
        beginning_of_response(resp:output, max_lines:max) + '\n' +
        snip + '\n';
    
      report = get_vuln_report(
        items   : vuln_url,
        port    : port,
        header  : header,
        trailer : trailer
      );
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    
  • NASL familyWeb Servers
    NASL idGLASSFISH_CPU_OCT_2013.NASL
    descriptionThe version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components : - Java Server Faces - Metro
    last seen2020-06-01
    modified2020-06-02
    plugin id70482
    published2013-10-17
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70482
    titleOracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(70482);
      script_version("1.12");
      script_cvs_date("Date: 2018/11/15 20:50:25");
    
      script_cve_id("CVE-2013-2172", "CVE-2013-3827", "CVE-2013-5816");
      script_bugtraq_id(60846, 63052, 63054);
      script_xref(name:"CERT", value:"526012");
    
      script_name(english:"Oracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU)");
      script_summary(english:"Checks the version of Oracle GlassFish.");
    
      script_set_attribute(attribute:"synopsis", value:"The remote web server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of GlassFish Server running on the remote host is affected
    by multiple vulnerabilities in the following components :
    
      - Java Server Faces
      - Metro");
      script_set_attribute(attribute:"solution", value:"Upgrade to GlassFish Server 2.1.1.22 / 3.0.1.8 / 3.1.2.7 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      # https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixFMW
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4930e546");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/10/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/17");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:glassfish_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("glassfish_detect.nasl");
      script_require_keys("www/glassfish");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("audit.inc");
    include("glassfish.inc");
    
    #
    # Main
    #
    
    # Check for GlassFish
    get_kb_item_or_exit('www/glassfish');
    
    port = get_glassfish_port(default:8080);
    
    # Get the version number out of the KB.
    ver = get_kb_item_or_exit("www/" + port + "/glassfish/version");
    banner = get_kb_item_or_exit("www/" + port + "/glassfish/source");
    pristine = get_kb_item_or_exit("www/" + port + "/glassfish/version/pristine");
    
    # Check if the installation is vulnerable.
    if (ver =~ "^2\.1\.1")
      fix = "2.1.1.22";
    else if (ver =~ "^3\.0\.1")
      fix = "3.0.1.8";
    else if (ver =~ "^3\.1\.2")
      fix = "3.1.2.7";
    else
      fix = NULL;
    
    if (!isnull(fix) && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + banner +
          '\n  Installed version : ' + pristine +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "Oracle GlassFish", port, pristine);
    

Redhat

advisories
rhsa
idRHSA-2014:0029