I reported a vulnerability to KAIST Security Team, and they sent an email that they corrected it.
When I was evaluating lectures that I took in this semester, I found that KAIST portal redirect the page to ‘lecture’ server. Surprisingly, it was working with Tomcat framework, but what was the problem?
Below is the address I was redirected from “http://portal.kaist.ac.kr/[blabla]“
“http://lecture.kaist.ac.kr/lecture/student/[blabla].mxml”
The thing is that the most fundamental policy of the Internet is not allowable to share between different server (specifically URL) in HTTP and Javascript standpoint.
Anyhow, how the servers share the logined information (cookie) between logined portal to ‘lecture’ server? It is expected to be POST request (check the html code of the portal, I can see it has dirty information and personal security ID). It means we can find the ANY information by capturing only dummy html files between the web browser and server, so called man-in-the-middle attack.
Try to understand the URL hierarchy.
Check first, ”http://lecture.kaist.ac.kr/lecture”
Konglish JSP files for an administrator.
Check “”http://lecture.kaist.ac.kr”
But, the most serious problem is that Tomcat/5.5.26.
If your webroot directory has three depth(e.g /usr/local/wwwroot), An
attacker can access arbitrary files as below. (Proof-of-concept)
http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar
Combining both of facts, lists of JSP files and access file vulnerability, any students can access the database. Even much seriously, that JSP files have to have ID/PASS of admin because it is file for processing evaluation-result database (or something).
When I see the vulnerability (maybe occupational disease), I want to inform this fact to the administrator.
Thus, I reported this problem to Security Team as quickly as possible, and all problems are already fixed.
What about your web server? check today otherwise hackers exploit your server for fun.
hacking
