Addressing Local File Inclusion

We have a little bit of a mystery on our hands. The development of Jaxer was pretty much discontinued after Nodejs was released. And it’s a little unclear of how much of the community continued to use the application server after Aptana was bought by Titanium Studio. And even after continually looking we generally find new mentions of the Jaxer web server other than the little amount of information we put out on the internet.

That all kind of changed when we found reports of local file inclusion from this blog post: https://packetstormsecurity.com/files/153985/Aptana-Jaxer-1.0.3.4547-Local-File-Inclusion.html

The content of this post is quite puzzling for lots of reasons. First the method they suggest is that have installed Jaxer and are able to run the included web server to reach the default set of examples and tools included from the original Aptana install.

Which seems to suggest that this person has some familiarity with Aptana Jaxer. Though the weird part is that if you attempt to try and reproduce the next step they mention of clicking on the WikiLite sample.

And then clicking on the “WikiLite source code” link.

You end up with a 404 not found page. And originally I thought this might be because the source viewer was there, but there was a wrong path on the server. But it turns out that’s not even the issue if you look at the commit history of the master branch of Aptana Jaxer, you’d find that that exploit was recognized and fixed way back in March of 2011.

Which leads to the mystery of who or why this exploit was reported in 2019. The first part of the mystery is the name “Steph Jensen” who reported this. This seems to be the only exploit this person has reported. And with something as obscure as Jaxer I would expect this person to have other reports or some kind of contact information. Because I would honestly be interested in contacting this person if there are still members of the Jaxer community somewhere.

And then the other part of the mystery is that if this person was familiar with Jaxer why would they be able to describe an exploit which existed prior 2011, but then not be aware that the exploit was patched on the master branch in 2011, and then make an exploit post in 2019? So it just kind of seems weird.

What I like about this post is that it brings up the importance of safe defaults. And kind of reassures me that I haven’t been overzealous about removing all of the Aptana-related directories from the repository and making the project as small as possible to avoid any issues slipping through the cracks. We’ve removed aptana/ from the alias in the jaxer.httpd.conf in the Emrajs repository and will be making separate document and example directories which will be included as an option in the install.