Westpoint Security Advisory
Title: Jetty CGIServlet Arbitrary Command Execution
Risk Rating: Medium
Software: Jetty Servlet Container
Platforms: Win32 (other platforms not tested)
Vendor URL: www.mortbay.org
Author: Matt Moore <[email protected]>
Date: 1st October 2002
Advisory ID#: wp-02-0011.txt
Jetty is a 100% Java HTTP Server and Servlet Container. A flaw
in the CGIServlet allows an attacker to execute arbitrary commands
on the server.
Commands can be executed on the server by making requests like:
http://jetty-server:8080/cgi-bin/..\..\..\..\..\..\winnt/notepad.exe
The vendor responded quickly and has released a fixed version, 4.1.0
which can be downloaded from http://jetty.mortbay.org
Excerpt from Vendor announcement at:
http://groups.yahoo.com/group/jetty-announce/message/45
'4.1.0 also contains a priority security fix for the CGI servlet
running on windows platforms. This remotely exploitable problem
effects all previous versions of Jetty that use the CGI servlet
on windows without a permissions file configured for the context.
The CGI servlet from 4.1.0 may be used in 4.0 releases.'
This advisory is available online at: