Allaire Jrun 3.0 can be viewed by a directory
Published: 2000-10-25 Updated: 2000-10-25 Severity: the extent of the threat: Remote unauthorized file access error types: input validation error Use: server mode
Affected systems Allaire JRun 3.0 - Sun Solaris 7.0 - Sun Solaris 2.6 - SGI IRIX 6.5 - RedHat Linux 6.1 sparc - RedHat Linux 6.1 i386 - RedHat Linux 6.1 alpha - RedHat Linux 6.0 sparc - RedHat Linux 6.0 i386 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 2000 - IBM AIX 4.3 - IBM AIX 4.2 Detailed Description Allaire JRun is a web application kit based on JSP and Java servlet. Each web application directory contains a web-inflica, which contains some of the Class and precompiled JSP files for web applications, server log files, session information, and files such as web.xml, webapp.properties.
JRUN contains a vulnerability allows remote users to view the web-infers of the web-infers, and all directories in the web-INF directory are displayed by requested a URL containing "/" characters.
Test code http: // target // Web-inf /
Solution Allaire provides the following patches:
Allaire JRun 3.0:
Allaire Patch Extraslasheshtp: //download.Allaire.com/jrun/jrun3.0/extraslashes.zipwindows 95/98 / NT / 2000 and Windows NT Alpha
Allaire Patch Extraslas.tarhttp: //download.allaire.com/jrun/jrun3.0/extraslashes.tar.gzunix/Linux Patch - GNU Gzip / Tar
