Description:
On NTFS TmaxSoft JEUS, which is an famous web application server, contained
a vulnerability that allows an attacker to obtain web application source
files. This was caused by ADSs(Alternate Data Streams; ::$DATA).
JEUS couldn't handle ::$DATA. So it treated test.jsp::$DATA as an normal
file when it requested.
This is similar to the past MS Windows IIS vulnerability(Bid 0149).
Exploit:
The attacker can obtain them easily using an URL request.
hxxp://www.target.com/foo/bar.jsp::$DATA
(해커는 위와 같이 ADDs 요청을 통해서 서버의 소스를 획득할 수 있음)
위의 내용은 TmaxSoft JEUS의 취약점에 대해서 나온 것이다.
자세한 사항은 다음링크에서 확인하세요
http://www.milw0rm.com/exploits/7442