From: email-fulldisclosure@hotmail.com
Date: Tue Dec 05 2006 - 07:46:26 EST
It looks like web.AjaxService.goGet implements an method at line AjaxService.java line 80, which is vulnerable to Code Injection vulnerabilities ( subtype Dynamic Evaluation Vulnerabilities );
http://en.wikipedia.org/wiki/Code_injection
http://www.owasp.org/index.php/Direct_Dynamic_Code_Evaluation_('Eval_Injection')
It is uncommon with these vulnerabilities in java apps, but possible to do using java.lang.Class.getMethod and some ways.
Basically it seems like an broken Web 2.0 app - the browser defines which code the server should execute.
It is definately interesting to see what URI maniplulation of this script would yield; are you able to control: class name? method name? parameters? type of parameters?
It might be very limited (not exploitable) or you may have full control over the server, being able to do things such as start local shell commands etc.
I suspect you may experience problems changing "partners.service.PartnersService.getLink" into some more usefull class method, since parameter list of (javax.servlet.http.HttpServletRequest) is hard to find in any easily exploitable code deployed on the server. Basically insecure but hard to exploit in the real world. If you somehow can get away from this typing, you could start doing things like calling java.lang.System.exit() etc etc. Look for static methods in the java API, and see if you can manage to call them without hitting parameter type errors. It's a long shot!
Good luck!
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:25 EDT