CVE
- Id
- 2388
- CVE No.
- CVE-2000-0812
- Status
- Candidate
- Description
- The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag.
- Phase
- Interim (20010117)
- Votes
- ACCEPT(2) Baker, Dik | MODIFY(2) Frech, Levy | NOOP(3) Armstrong, Cole, Wall | REVIEWING(1) Christey
- Comments
- Frech> XF:sunjava-webadmin-bbs(5135) | Levy> BID 1600 | Frech> We also show this associated with CVE-2000-0629: The default | configuration of the Sun Java web server 2.0 and earlier allows remote | attackers to execute arbitrary commands by uploading Java code to the | server via board.html, then directly calling the JSP compiler | servlet. CVE web site concurs. | Christey> I think that Casper Dik confirmed that CVE-2000-0629 is a | configuration problem, and this one is a bug, so they are | different problems. I need to dig up that email, though... | Dik> CVE-2000-0629 indeed is about sample code which shouldn"t | be run on prodution servers | This one is an actual bug and patches have been produced | for JWS 2.0 and 1.1.3
