COMMAND

	
		Blazix jsp view and free protected folder access
	
	

SYSTEMS AFFECTED

	
		Blazix 1.2 and previous
	
	

PROBLEM

	
		In Auriemma Luigi, PivX [http://www.PivX.com] security advisory :
		

		The bug I want to describe is one of the most diffused problems  in  the
		current applications. It is the problem that have some operating  sytems
		API that  open  files  without  checking  some  character  that  can  be
		attached to the file name. In Blazix the "bad" characters  are  '+'  and
		'\' (NOT %2b and %5c).
		

		With this bug we can view all the server side scripts in  it  and,  more
		dangerous, we have free access to the password protected folders.
		

		Attention because the version 1.2.1 (released for some  days)  is  still
		vulnerable to the "password protected folder access" (only the jsp  view
		has been fixed in this release).
		

		A] Jsp view examples:
		

		http://127.0.0.1/jsptest.jsp+

		http://127.0.0.1/jsptest.jsp\

		

		

		B] Free protected folder access examples (bugtest is  a  folder  that  I
		have created and protected with a password):
		

		http://127.0.0.1/bugtest+/

		http://127.0.0.1/bugtest\/

		

		If you don't have a  protected  folder  you  can  quickly  follow  these
		simple steps:
		

		   a) make a new folder called bugtest in webfiles

		   b) copy webfiles\index.html in webfiles\bugtest\index.html

		   c) add "role.user.url: /bugtest/*" in web.ini file

		   d) close and restart the web server for load the new settings

		

		
	
	

SOLUTION

	
		The Blazix team has patched  the  server  and  you  can  see  your  real
		version in the Readme.txt file in the Blazix  folder  (it  is  the  ONLY
		place  where  is  written  the  real  version).  Blazix  1.2.2  can   be
		downloaded from its homepage:
		

		http://www.blazix.com