Allaire jrun directory leak problem
Published: 2001-11-29
Updated: 2001-11-29
Severe degree: middle
Threat level: server information disclosure
Error type: Enter verification error
Utilization: Server mode
Affected system
Allaire Jrun 3.0 / 3.1
- Microsoft IIS 4.0 / 5.0
Detailed Description
Special URL requesting a special URL of the system running JRUN can cause the physical directory to be leaked.
Test code
http: // [Machine] /?.JSP
http: // [Machine] / [AnyDirectory] /?.JSP
solution
No yet
Related Information
George Hedfors (George.hedfors@defcom.com)
reference:
http://www.allaire.com/handlers/index.cfm?id=22236&method=full
Allaire jrun directory traversal vulnerability
Release Date: 2001-12-06
Update Date: 2001-12-18
Affected system:
Allaire Jrun 2.3.3
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows NT 4.0 SP6A
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft WINDOWS NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft WINDOWS 2000
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.1 x86
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.0 SPARC
- Redhat Linux 6.0 x86
- Redhat Linux 6.0
- SGI IRIX 6.5
SUN Solaris 7.0
SUN Solaris 2.6
Allaire Jrun 3.0
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows NT 4.0 SP6A
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft WINDOWS NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft WINDOWS 2000
- Redhat Linux 6.1 x86
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.0
- Redhat Linux 6.0 Sparc- Redhat Linux 6.0 x86
- SGI IRIX 6.5
SUN Solaris 7.0
SUN Solaris 2.6
Allaire Jrun 3.1
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows NT 4.0 SP6A
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft WINDOWS NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft WINDOWS 2000
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.1 x86
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.0
- Redhat Linux 6.0 SPARC
- Redhat Linux 6.0 x86
- Redhat Linux 6.0 Alpha
- SGI IRIX 6.5
SUN Solaris 8.0
SUN Solaris 7.0
description:
-------------------------------------------------- ------------------------------
Bugtraq ID: 3666
JRUN is a JSP server published by Allaire.
The software exists an input verification vulnerability, which may cause the directory to traverse the entire file system.
Since JRUN does not have the correct path identifier, the remote attacker can pass "../" traverse the entire file system.
<* Source: Macromedia Security Alert
Newsflash@macromedia.com)
link:
Http://archives.neohapsis.com/archives/bugtraq/2001-12/0091.html
Http://www.allaire.com/handlers/index.cfm?id=22265&Method=Full&Cache=off
*>
Suggest:
-------------------------------------------------- ------------------------------
Temporary solution:
If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:
* Temporarily in other secure JSP servers, such as Apache Tomcat, etc.
Vendor patch:
ALAIRE
-------
At present, manufacturers have released patches to fix this security problem, please go to the manufacturer's homepage:
Allaire JRun 2.3.3:
Allaire Patch Windows Jrun 2.3.3 JP23159W_22129.exe
http://download.allaire.com/publicddl/en/jrun/23/jp23159w_22129.exe
Allaire Patch Unix Jrun 2.3.3 JP23159U_22129.Tar.gzhttp: //download.Allaire.com/publicddl/en/jrun/23/jp23159u_22129.tar.gz
Allaire JRun 3.0:
Allaire Upgrade Windows Jrun 3.0 JR30SP2_25232.exe
http://download.allaire.com/publicddl/en/jrun/30/jr30sp2_25232.exe
Allaire Patch UNIX JRUN 3.0 JR30SP2U_25232.SH
http://download.allaire.com/publicddl/en/jrun/30/jr30sp2u_25232.sh
Allaire Jrun 3.1:
Allaire Upgrade Windows Jrun 3.1 JRUN-31-Win-Upgrade-US_26414.exe
http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe
Allaire Patch Unix Jrun 3.1 JRun-31-Unix-Upgrade-us_26414.sh
http://download.allaire.com/publicddl/en/jrun/31/jrun-31-unix-Upgrade-us_26414.sh
Allaire Jrun "jsessionID" information leak vulnerability
Release Date: 2001-12-06
Update Date: 2001-12-18
Affected system:
Allaire Jrun 3.0
- AIX 4.3
- AIX 4.2
- Irix 6.5
- Microsoft Windows NT 4.0 SP6A
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft WINDOWS NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft WINDOWS 2000
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.1 x86
- Redhat Linux 6.0
- Redhat Linux 6.0 Alpha
- Redhat Linux 6.0 x86
- Redhat Linux 6.0 SPARC
- Solaris 8.0
- Solaris 7.0
Allaire Jrun 3.1
- AIX 4.3
- AIX 4.2
- Irix 6.5
- Microsoft Windows NT 4.0 SP6A
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft WINDOWS NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft WINDOWS 2000
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.1 x86
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.0
- Redhat Linux 6.0 SPARC
- Redhat Linux 6.0 x86
- Redhat Linux 6.0 Alpha
- Solaris 8.0
- Solaris 7.0
Not affected system:
description:
-------------------------------------------------- ------------------------------
Bugtraq ID: 3665
JRUN is a JSP server published by Allaire.
The software has a design error that may result in sensitive information leakage.
When a user accesses JRUN-based sites, a session ID is obtained, and under certain conditions, this session ID is attached to the URL, which can cause this information to leak.
<* Source: Macromedia Security Alert
Newsflash@macromedia.com)
link:
Http://archives.neohapsis.com/archives/bugtraq/2001-12/0091.html
Http://www.allaire.com/handlers/index.cfm?id=22266&Method=Full
*>
Suggest:
-------------------------------------------------- ------------------------------
Temporary solution:
If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:
* Temporarily in other secure JSP servers, such as Apache Tomcat, etc.
Vendor patch:
ALAIRE
-------
At present, the manufacturer has released upgrade patches to fix this security issue, please go to the manufacturer's homepage:
Allaire JRun 3.0:
Macromedia Patch JRun Win32 JR30SP2_25232.EXE
http://download.allaire.com/publicddl/en/jrun/30/jr30sp2_25232.exe
Macromedia Upgrade JRun UNIX JR30SP2U_25232.SH
http://download.allaire.com/publicddl/en/jrun/30/jr30sp2u_25232.sh
Allaire Jrun 3.1:
Macromedia Patch Jrun Win32 JRUN-31-Win-Upgrade-US_26414.exe
http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe
Macromedia Upgrade Jrun Unix JRUN-31-Unix-Upgrade-us_26414.sh
http://download.allaire.com/publicddl/en/jrun/31/jrun-31-unix-Upgrade-us_26414.sh
Allaire JRun JSP Source Code Leak Vulnerability Release Date: 2001-12-16
Update Date: 2001-12-18
Affected system:
Allaire Jrun 3.1
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows NT 4.0 SP6A
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft WINDOWS 2000
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.1 x86
- Redhat Linux 6.0 Alpha
- Redhat Linux 6.0
- Redhat Linux 6.0 SPARC
- Redhat Linux 6.0 x86
- SGI IRIX 6.5
SUN Solaris 8.0
SUN Solaris 7.0
description:
-------------------------------------------------- ------------------------------
Bugtraq ID: 3662
Allaire JRun is a Web application development kit for JSP and Java Servlet, and each web application directory has a "web-inf" or "meta-inf" directory, which typically contains web application class files, precompiled JSPs. Files, server library files, session information, or "web.xml", and "WebApp.properties" configuration information.
The software has an input verification vulnerability, which may cause the JSP file source code to disclose.
The remote attacker may get the JSP file in any directory by sending a well-constructed request.
<* Source: Macromedia Security Alert
Newsflash@macromedia.com)
link:
Http://archives.neohapsis.com/archives/bugtraq/2001-12/0091.html
http://www.allaire.com/handlers/index.cfm?id=22262&mthod=full
Http://www.allaire.com/handlers/index.cfm?id=17966&Method=Full
Http://www.foundstone.com/cgi-bin/display.cgi?content_id=231
*>
testing method:
-------------------------------------------------- ------------------------------
caveat
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!
Foundstone Advisory provides the following vulnerability test methods:
Http://site.running.jrun: 8100 // Web-inf / http://site.running.jrun: 8100 // Web-inf / web.xml
Http://site.running.jrun: 8100 // Web-inf / webapp.properties
Suggest:
-------------------------------------------------- ------------------------------
Temporary solution:
If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:
* Temporarily in other secure JSP servers, such as Apache Tomcat, etc.
Vendor patch:
ALAIRE
-------
At present, the manufacturer has released upgrade patches to fix this security issue, please go to the manufacturer's homepage:
Macromedia Patch Jrun Win32 JRUN-31-Win-Upgrade-US_26414.exe
http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe
Macromedia Upgrade Jrun Unix JRUN-31-Unix-Upgrade-us_26414.sh
http://download.allaire.com/publicddl/en/jrun/31/jrun-31-unix-Upgrade-us_26414.sh
Allaire JRUN SSI handling error causes leakage web source vulnerability
Release Date: 2001-11-28
Update Date: 2001-11-29
Affected system:
JRUN 3.1 (All Editions)
JRUN 3.0 (All Editions)
JRUN 2.3.3 (All Editions)
description:
-------------------------------------------------- ------------------------------
Macromedia Jrun is an easy-to-use Java application server that is used in conjunction with Web Server programs.
The problem of JRUN (SSISERVER SIDE INCLUDES) processing module can be obtained by using this vulnerability attacker
Web page source code in the web directory, including .jsp programs.
When a request for the SSI page is sent to the server, if the webpage does not exist, JRUN will put the user's http
The request itself includes returning to the user in the web page. Usually HTTP requests will not have anything, but a malicious user may
Will send a request to the server that includes the SSI directive, which can contain other files in the web directory to come in, so
The hit can get the source code of the web page, such as the following request:
Get /nosuch.shtml http / 1.0
Content LENGTH: 38
You can get the source code of INDEX.JSP.
<* Source: Netcraft Security
Security@netcraft.com)
link:
Http://archives.neohapsis.com/archives/bugtraq/2001-11/0238.html
*>
Suggest:
-------------------------------------------------- ------------------------------
Temporary solution:
If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:
* Forbidden .SHTML mapping, you can implement as follows: For JRun 3.1 and 3.0, the following rows are from / jrun / lib / global.properties file
Remove in the Rules section:
Webapp.servlet-mapping. *. shtml = SSIFILTER
Then add the following to the Rules section of the JRUN / LIB / GLOBAL.PROPERTIES file:
Webapp.servlet-mapping./servlet/allaire.jrun.ssi.ssifilter=xxx
For JRUN 2.3.3, you can use JRun 2.3.3 Administrator to delete .shtml mapping:
Start 2.3.3 Administrator
2. Select the line starting with "JSM-Default"
3. Click the "Configure" button
4. Select the line starting with "jse"
5. Click the "Service Config" button
6. Click the "MAppings" button
7. The line selected in "* .shtml"
8. Click the "DELETE" button
9. Click the "Save" button
10. Repeat 1-9, change "jse" in step 4 to "jseweb"
Vendor patch:
At present, the manufacturer has not provided patch or upgrade procedures. We recommend that users who use this software pay attention to the manufacturer.
Home for getting up-to-date:
http://www.macromedia.com/go/xtraffic_mm_al_software_jrunst/
Allaire Jrun catalogs can be viewed vulnerability
Release Date: 2001-11-28
Update Date: 2001-11-29
Affected system:
Allaire Jrun 3.0
Allaire Jrun 3.1
- Microsoft IIS 4.0
- Microsoft IIS 5.0
description:
-------------------------------------------------- ------------------------------
Macromedia Jrun is an easy-to-use Java application server that is used in conjunction with Web Server programs.
By sending special requests containing the ".jsp" suffix to the web server, JRun can process this request, which allows the attacker to browse all directories under the web root directory.
<* Source: George Hedfors
George.hedfors@defcom.com)
link:
Http://archives.neohapsis.com/archives/bugtraq/2001-11/0240.html
*>
testing method:
-------------------------------------------------- ------------------------------
caveat
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!
George Hedfors
George.hedfors@defcom.com offers a loophole
Demo:
Use the following URL to browse to any directory under the web root directory:
http: // [Machine] /?.JSP
http: // [Machine] / [AnyDirectory] /?.JSP
Suggest:
-------------------------------------------------- ------------------------------ Temporary solution:
If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:
* Close the JRUN directory browsing function, you can implement in JRUN's management interface:
Put JRun Default Server / Web Applications / Default User Application / File Settings / Directory Browsing Allowed
Set to false.
JRun Default Server / Web Applications / JRun Demo / File Settings / Directory Browsing Allowed
Set to false.
Restart the server, the function of this directory browsing is disabled.
Vendor patch:
At present, the manufacturer has not provided patch or upgrade procedures. We recommend that users who use this software pay attention to the manufacturer.
Home for getting up-to-date:
http://www.macromedia.com/go/xtraffic_mm_al_software_jrunst/
JRUN Web Server Web-INF Directory Information Leakage
Release Date: 2001-01-30
Update Date: 2001-01-30
Affected system:
Allaire Jrun 3.0
description:
-------------------------------------------------- ------------------------------
When sending a page request to a JRUN Web Server, a list of directories for web-inflicity may be obtained.
It is also possible to display the contents of the web.xml file in the web-infers.
Under certain conditions, submit a deformed URI request to JRUN 3.0 will return the directory of the web-inflicity
List or web.xml file content
<* Source: vanja hrustic
Vanja@relaygroup.com)
Allaire Security Bulletin (ASB01-02):
Http://www.allaire.com/handlers/index.cfm?id=19546&Method=Full
*>
testing method:
-------------------------------------------------- ------------------------------
caveat
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!
For example, submit a similar URL:
http: // jrun_server: 8000 /./ Web-INF /
The list of Web-INFs on the server will leak.
And the following URL will return to the content of the web.xml file:
Http: // jrun_server: 8000 /./ Web-inf / web.xml
Suggest:
-------------------------------------------------- ------------------------------
Vendor patch:
Allaire has released a security announcement and provides patch downloads.
Allaire Security Announcement (ASB01-02)
JRun 3.0: Patch Available for Jrun Malformed URI Web-Inf Directory
Information andweb.xml file Retrieval Issue
http://www.allaire.com/handlers/index.cfm?id=19546&Method=Full patch download:
Windows 95/98 / NT / 2000 and Windows NT Alpha:
http://download.allaire.com/jrun/jrun3.0/jr30sp2.exe
UNIX / Linux Patch - GNU Gzip / Tar:
http://download.allaire.com/jrun/jrun3.0/jr30sp2u.sh
Allaire JRun Servlet deformity request remote denial service attack vulnerability
Release Date: 2000-10-31
Update Date: 2000-10-31
Affected system:
Allaire Jrun 3.0
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows NT 4.0 SP6A
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Redhat Linux 6.1
- Redhat Linux 6.0
- SGI IRIX 6.5
SUN Solaris 7.0
SUN Solaris 2.6
description:
-------------------------------------------------- ------------------------------
Bugtraq ID: 2337
Allaire JRun is a web application development kit that includes JSP and Java Servlets. Each web application directory contains a web-inflica, which contains the web application class, precompiled JSP file, the server's library, session information, and such as web.xml and webapp.properties. file.
The JRUN application server has a vulnerability when dealing with malformation, and the remote attacker may use this vulnerability to deny the service attack on the server.
Sending multiple malformation requests to JRun's servlets that causes the application server to stop responding to deny service attacks.
<* Source: ALLAIRE Security Bulleti
link:
http://www.fusionauthority.com/Article.cfm?articleid=740
Http://www.foundstone.com/knowledge/randd-advisories-display.html?id=237
*>
testing method:
-------------------------------------------------- ------------------------------
caveat
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!
Foundstone provides the following test methods:
http: // target / servlet / ........... (mu "." s)
Suggest:
-------------------------------------------------- ------------------------------ Manufacturer patch:
ALAIRE
-------
Allaire has released a security announcement (ASB00-30) and corresponding patches:
ASB00-30: JRUN 3.0: Patch Available for "Multiple.'S Denial of Service" Issue
link:
Patch download:
Allaire JRun 3.0:
Allaire Patch TrailingDots.zip
http://download.allaire.com/patches/trailingDots.zip
Allaire Patch TrailingDots.tgz
http://download.allaire.com/patches/trailingdots.tgz
ALAIRE JRUN 3.0 Leakage Catalog Vulnerability
Release Date: 2000-10-25
Update Date: 2000-10-25
Affected system:
Allaire Jrun 3.0
SUN Solaris 7.0
SUN Solaris 2.6
- SGI IRIX 6.5
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.1 i386
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.0 SPARC
- Redhat linux 6.0 i386
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
- IBM AIX 4.3
- IBM AIX 4.2
description:
-------------------------------------------------- ------------------------------
Allaire JRun is a web application development kit that includes JSP and Java Servlets. Each web application directory contains a web-inflica, which contains the web application class, precompiled JSP file, the server's library, session information, and such as web.xml and webapp.properties. file.
JRUN includes a vulnerability that allows remote users to view the contents of the web-INF directory, exposed all subdirectories in the web-inflicity by requested a malformed URL consisting of additional "/".
Successfully use this vulnerability to cause remote intruders to obtain read rights of any files in the web-inf directory.
<* Source: Foundstone Labs
Labs@foundstone.com) *>
testing method:
-------------------------------------------------- ------------------------------
caveat
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!
Use the following URL:
http: // target // Web-INF /
Suggest:
-------------------------------------------------- ------------------------------
Vendor patch:
Allaire has released the following patch to eliminate the vulnerability:
Allaire JRun 3.0:
Allaire Patch Extraslasheshttp: //download.allaire.com/jrun/jrun3.0/extraslashes.zip
Windows 95/98 / NT / 2000 and Windows NT Alpha
Allaire Patch Extraslashes.tar
http://download.allaire.com/jrun/jrun3.0/extraslashes.tar.gz
Allaire JRun 2.3 Directory Traversal Vulnerability
Release Date: 2000-10-25
Update Date: 2000-10-25
Affected system:
Allaire Jrun 2.3.x
SUN Solaris 7.0
SUN Solaris 2.6
- SGI IRIX 6.5
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.1 i386
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.0 SPARC
- Redhat linux 6.0 i386
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
- IBM AIX 4.3
- IBM AIX 4.2
description:
-------------------------------------------------- ------------------------------
Allaire JRun is a JSP and Java Servlets development kit. It exists a vulnerability allows remote users to access
Files outside the WWW root directory. Use SSIFILTER Servlet in this malicious URL request and combined
"../" technology. SSIFILTER Servlet does not check the access path legality at this time.
<* Source: Foundstone Labs
Labs@foundstone.com) *>
testing method:
-------------------------------------------------- ------------------------------
caveat
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!
http: //target/servlet/com.livesoftware.jrun.plugins.ssi.ssifilter/../../path/to/otgpdvt/filename
http://target/servlet/ssifilter/../../path/to/otgpdvt/filename
Suggest:
-------------------------------------------------- ------------------------------
Allaire provides a patch:
Allaire Jrun 2.3.x:
Allaire Patch JR233P_ASB00_28_29
http://download.allaire.com/jrun/jr233p_asb00_28_29.zip
Windows 95/98 / NT / 2000 and Windows NT Alpha
Allaire Patch JR233P_ASB00_28_29TAR
http://download.allaire.com/jrun/jr233p_asb00_28_29.tar.gz
UNIX / Linux Patch - GNU Gzip / Tar
Allaire JRun 2.3 remote execution arbitrary code
Release Date: 2000-10-25
Update Date: 2000-10-25 Affected System:
Allaire Jrun 2.3.x
SUN Solaris 7.0
SUN Solaris 2.6
- SGI IRIX 6.5
- Redhat Linux 6.1 SPARC
- Redhat Linux 6.1 i386
- Redhat Linux 6.1 Alpha
- Redhat Linux 6.0 SPARC
- Redhat linux 6.0 i386
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
- IBM AIX 4.3
- IBM AIX 4.2
description:
-------------------------------------------------- ------------------------------
There is a vulnerability in JRUN, allowing remote users to use any files located on the file system in WWW services.
JSP code compile / execution. If the target file path of the URL request appears / servlet /, JSP interpretation is executed
The line function is activated. If you use "../" technology in the target file path requested by the user, it is possible to access it.
File outside the WWW root directory. The requested file is interpreted as a JSP script, if the user can department
Depending on the input to generate a file, and can use the above vulnerabilities to request the file, will seriously threaten the target system security
Sex.
<* Source: Foundstone Labs
Labs@foundstone.com) *>
testing method:
-------------------------------------------------- ------------------------------
caveat
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!
Http://target/servlet/com.livesoftware.jrun.plugins.jsp.jsp/00../path/to/otgpdvt/filename
http: //target/servlet/jsp/../../path/to/otgpdvt/filename
Suggest:
-------------------------------------------------- ------------------------------
Allaire announced the following patch:
Allaire Jrun 2.3.x:
Allaire Patch JR233P_ASB00_28_29
http://download.allaire.com/jrun/jr233p_asb00_28_29.zip
Windows 95/98 / NT / 2000 and Windows NT Alpha
Allaire Patch JR233P_ASB00_28_29TAR
http://download.allaire.com/jrun/jr233p_asb00_28_29.tar.gz
UNIX / Linux Patch - GNU Gzip / Tar
Allaire JRun 2.3.x Example File Vulnerability
Release Date: 2000-06-23
Update Date: 2000-06-23
Affected system:
Allaire Jrun 2.3.x
SUN Solaris 7.0
SUN Solaris 2.6
- SGI IRIX 6.5
- Redhat Linux 6.x
- Microsoft Windows 9X
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000- IBM AIX 4.x
description:
-------------------------------------------------- ------------------------------
Allaire JRun 2.3.x When you installed some tutorials, sample code, and applications
On the server, some sensitive information of the leak server may result, such as a system configuration or execution of certain commands, etc.
Wait. These examples of existing security issues should be handled manually.
<* Source: Allaire Security Bulletin (ASB00-15) *>
testing method:
-------------------------------------------------- ------------------------------
caveat
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!
E.g:
1) Access
Http: // target / servlet / sessionservlet will display all the ID numbers of all current HTTP sessions.
2) ViewSource.jsp default does not have a prohibition path check, which may allow remote users to view any files on the server.
Suggest:
-------------------------------------------------- ------------------------------
Allaire will solve this problem in the new JRUN version 2.3.3, which will be released later this year.
Temporary solution:
Delete all documents, sample code, examples, and tutorials from the server, and files that should be deleted in the following directory:
JRUN_HOME / Servlets
JRUN_HOME / JSM-DEFAULT / Services / JWS / HTDOCS
About deleting a more detailed introduction of a document, you can see the following address:
http://www.allaire.com/handlers/index.cfm?id=16258&Method=Full
