Allaire Jurn Vulnerability

xiaoxiao2021-03-06  69

Allaire jrun directory leak problem

Published: 2001-11-29

Updated: 2001-11-29

Severe degree: middle

Threat level: server information disclosure

Error type: Enter verification error

Utilization: Server mode

Affected system

Allaire Jrun 3.0 / 3.1

- Microsoft IIS 4.0 / 5.0

Detailed Description

Special URL requesting a special URL of the system running JRUN can cause the physical directory to be leaked.

Test code

http: // [Machine] /?.JSP

http: // [Machine] / [AnyDirectory] /?.JSP

solution

No yet

Related Information

George Hedfors (George.hedfors@defcom.com)

reference:

http://www.allaire.com/handlers/index.cfm?id=22236&method=full

Allaire jrun directory traversal vulnerability

Release Date: 2001-12-06

Update Date: 2001-12-18

Affected system:

Allaire Jrun 2.3.3

- IBM AIX 4.3

- IBM AIX 4.2

- Microsoft Windows NT 4.0 SP6A

- Microsoft Windows NT 4.0 SP6

- Microsoft Windows NT 4.0 SP5

- Microsoft Windows NT 4.0 SP4

- Microsoft Windows NT 4.0 SP3

- Microsoft Windows NT 4.0 SP2

- Microsoft WINDOWS NT 4.0 SP1

- Microsoft Windows NT 4.0

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows 2000 Server SP2

- Microsoft Windows 2000 Server SP1

- Microsoft WINDOWS 2000

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.1 x86

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.0 SPARC

- Redhat Linux 6.0 x86

- Redhat Linux 6.0

- SGI IRIX 6.5

SUN Solaris 7.0

SUN Solaris 2.6

Allaire Jrun 3.0

- IBM AIX 4.3

- IBM AIX 4.2

- Microsoft Windows NT 4.0 SP6A

- Microsoft Windows NT 4.0 SP6

- Microsoft Windows NT 4.0 SP5

- Microsoft Windows NT 4.0 SP4

- Microsoft Windows NT 4.0 SP3

- Microsoft Windows NT 4.0 SP2

- Microsoft WINDOWS NT 4.0 SP1

- Microsoft Windows NT 4.0

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows 2000 Server SP2

- Microsoft Windows 2000 Server SP1

- Microsoft WINDOWS 2000

- Redhat Linux 6.1 x86

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.0

- Redhat Linux 6.0 Sparc- Redhat Linux 6.0 x86

- SGI IRIX 6.5

SUN Solaris 7.0

SUN Solaris 2.6

Allaire Jrun 3.1

- IBM AIX 4.3

- IBM AIX 4.2

- Microsoft Windows NT 4.0 SP6A

- Microsoft Windows NT 4.0 SP6

- Microsoft Windows NT 4.0 SP5

- Microsoft Windows NT 4.0 SP4

- Microsoft Windows NT 4.0 SP3

- Microsoft Windows NT 4.0 SP2

- Microsoft WINDOWS NT 4.0 SP1

- Microsoft Windows NT 4.0

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows 2000 Server SP2

- Microsoft Windows 2000 Server SP1

- Microsoft WINDOWS 2000

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.1 x86

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.0

- Redhat Linux 6.0 SPARC

- Redhat Linux 6.0 x86

- Redhat Linux 6.0 Alpha

- SGI IRIX 6.5

SUN Solaris 8.0

SUN Solaris 7.0

description:

-------------------------------------------------- ------------------------------

Bugtraq ID: 3666

JRUN is a JSP server published by Allaire.

The software exists an input verification vulnerability, which may cause the directory to traverse the entire file system.

Since JRUN does not have the correct path identifier, the remote attacker can pass "../" traverse the entire file system.

<* Source: Macromedia Security Alert

Newsflash@macromedia.com)

link:

Http://archives.neohapsis.com/archives/bugtraq/2001-12/0091.html

Http://www.allaire.com/handlers/index.cfm?id=22265&Method=Full&Cache=off

*>

Suggest:

-------------------------------------------------- ------------------------------

Temporary solution:

If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:

* Temporarily in other secure JSP servers, such as Apache Tomcat, etc.

Vendor patch:

ALAIRE

-------

At present, manufacturers have released patches to fix this security problem, please go to the manufacturer's homepage:

Allaire JRun 2.3.3:

Allaire Patch Windows Jrun 2.3.3 JP23159W_22129.exe

http://download.allaire.com/publicddl/en/jrun/23/jp23159w_22129.exe

Allaire Patch Unix Jrun 2.3.3 JP23159U_22129.Tar.gzhttp: //download.Allaire.com/publicddl/en/jrun/23/jp23159u_22129.tar.gz

Allaire JRun 3.0:

Allaire Upgrade Windows Jrun 3.0 JR30SP2_25232.exe

http://download.allaire.com/publicddl/en/jrun/30/jr30sp2_25232.exe

Allaire Patch UNIX JRUN 3.0 JR30SP2U_25232.SH

http://download.allaire.com/publicddl/en/jrun/30/jr30sp2u_25232.sh

Allaire Jrun 3.1:

Allaire Upgrade Windows Jrun 3.1 JRUN-31-Win-Upgrade-US_26414.exe

http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe

Allaire Patch Unix Jrun 3.1 JRun-31-Unix-Upgrade-us_26414.sh

http://download.allaire.com/publicddl/en/jrun/31/jrun-31-unix-Upgrade-us_26414.sh

Allaire Jrun "jsessionID" information leak vulnerability

Release Date: 2001-12-06

Update Date: 2001-12-18

Affected system:

Allaire Jrun 3.0

- AIX 4.3

- AIX 4.2

- Irix 6.5

- Microsoft Windows NT 4.0 SP6A

- Microsoft Windows NT 4.0 SP6

- Microsoft Windows NT 4.0 SP5

- Microsoft Windows NT 4.0 SP4

- Microsoft Windows NT 4.0 SP3

- Microsoft Windows NT 4.0 SP2

- Microsoft WINDOWS NT 4.0 SP1

- Microsoft Windows NT 4.0

- Microsoft Windows NT

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows 2000 SP2

- Microsoft Windows 2000 SP1

- Microsoft WINDOWS 2000

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.1 x86

- Redhat Linux 6.0

- Redhat Linux 6.0 Alpha

- Redhat Linux 6.0 x86

- Redhat Linux 6.0 SPARC

- Solaris 8.0

- Solaris 7.0

Allaire Jrun 3.1

- AIX 4.3

- AIX 4.2

- Irix 6.5

- Microsoft Windows NT 4.0 SP6A

- Microsoft Windows NT 4.0 SP6

- Microsoft Windows NT 4.0 SP5

- Microsoft Windows NT 4.0 SP4

- Microsoft Windows NT 4.0 SP3

- Microsoft Windows NT 4.0 SP2

- Microsoft WINDOWS NT 4.0 SP1

- Microsoft Windows NT 4.0

- Microsoft Windows NT

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows 2000 SP2

- Microsoft Windows 2000 SP1

- Microsoft WINDOWS 2000

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.1 x86

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.0

- Redhat Linux 6.0 SPARC

- Redhat Linux 6.0 x86

- Redhat Linux 6.0 Alpha

- Solaris 8.0

- Solaris 7.0

Not affected system:

description:

-------------------------------------------------- ------------------------------

Bugtraq ID: 3665

JRUN is a JSP server published by Allaire.

The software has a design error that may result in sensitive information leakage.

When a user accesses JRUN-based sites, a session ID is obtained, and under certain conditions, this session ID is attached to the URL, which can cause this information to leak.

<* Source: Macromedia Security Alert

Newsflash@macromedia.com)

link:

Http://archives.neohapsis.com/archives/bugtraq/2001-12/0091.html

Http://www.allaire.com/handlers/index.cfm?id=22266&Method=Full

*>

Suggest:

-------------------------------------------------- ------------------------------

Temporary solution:

If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:

* Temporarily in other secure JSP servers, such as Apache Tomcat, etc.

Vendor patch:

ALAIRE

-------

At present, the manufacturer has released upgrade patches to fix this security issue, please go to the manufacturer's homepage:

Allaire JRun 3.0:

Macromedia Patch JRun Win32 JR30SP2_25232.EXE

http://download.allaire.com/publicddl/en/jrun/30/jr30sp2_25232.exe

Macromedia Upgrade JRun UNIX JR30SP2U_25232.SH

http://download.allaire.com/publicddl/en/jrun/30/jr30sp2u_25232.sh

Allaire Jrun 3.1:

Macromedia Patch Jrun Win32 JRUN-31-Win-Upgrade-US_26414.exe

http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe

Macromedia Upgrade Jrun Unix JRUN-31-Unix-Upgrade-us_26414.sh

http://download.allaire.com/publicddl/en/jrun/31/jrun-31-unix-Upgrade-us_26414.sh

Allaire JRun JSP Source Code Leak Vulnerability Release Date: 2001-12-16

Update Date: 2001-12-18

Affected system:

Allaire Jrun 3.1

- IBM AIX 4.3

- IBM AIX 4.2

- Microsoft Windows NT 4.0 SP6A

- Microsoft Windows NT 4.0 SP6

- Microsoft Windows NT 4.0 SP5

- Microsoft Windows NT 4.0 SP4

- Microsoft Windows NT 4.0 SP3

- Microsoft Windows NT 4.0 SP2

- Microsoft Windows NT 4.0 SP1

- Microsoft Windows NT 4.0

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows 2000 Server SP2

- Microsoft Windows 2000 Server SP1

- Microsoft WINDOWS 2000

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.1 x86

- Redhat Linux 6.0 Alpha

- Redhat Linux 6.0

- Redhat Linux 6.0 SPARC

- Redhat Linux 6.0 x86

- SGI IRIX 6.5

SUN Solaris 8.0

SUN Solaris 7.0

description:

-------------------------------------------------- ------------------------------

Bugtraq ID: 3662

Allaire JRun is a Web application development kit for JSP and Java Servlet, and each web application directory has a "web-inf" or "meta-inf" directory, which typically contains web application class files, precompiled JSPs. Files, server library files, session information, or "web.xml", and "WebApp.properties" configuration information.

The software has an input verification vulnerability, which may cause the JSP file source code to disclose.

The remote attacker may get the JSP file in any directory by sending a well-constructed request.

<* Source: Macromedia Security Alert

Newsflash@macromedia.com)

link:

Http://archives.neohapsis.com/archives/bugtraq/2001-12/0091.html

http://www.allaire.com/handlers/index.cfm?id=22262&mthod=full

Http://www.allaire.com/handlers/index.cfm?id=17966&Method=Full

Http://www.foundstone.com/cgi-bin/display.cgi?content_id=231

*>

testing method:

-------------------------------------------------- ------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

Foundstone Advisory provides the following vulnerability test methods:

Http://site.running.jrun: 8100 // Web-inf / http://site.running.jrun: 8100 // Web-inf / web.xml

Http://site.running.jrun: 8100 // Web-inf / webapp.properties

Suggest:

-------------------------------------------------- ------------------------------

Temporary solution:

If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:

* Temporarily in other secure JSP servers, such as Apache Tomcat, etc.

Vendor patch:

ALAIRE

-------

At present, the manufacturer has released upgrade patches to fix this security issue, please go to the manufacturer's homepage:

Macromedia Patch Jrun Win32 JRUN-31-Win-Upgrade-US_26414.exe

http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe

Macromedia Upgrade Jrun Unix JRUN-31-Unix-Upgrade-us_26414.sh

http://download.allaire.com/publicddl/en/jrun/31/jrun-31-unix-Upgrade-us_26414.sh

Allaire JRUN SSI handling error causes leakage web source vulnerability

Release Date: 2001-11-28

Update Date: 2001-11-29

Affected system:

JRUN 3.1 (All Editions)

JRUN 3.0 (All Editions)

JRUN 2.3.3 (All Editions)

description:

-------------------------------------------------- ------------------------------

Macromedia Jrun is an easy-to-use Java application server that is used in conjunction with Web Server programs.

The problem of JRUN (SSISERVER SIDE INCLUDES) processing module can be obtained by using this vulnerability attacker

Web page source code in the web directory, including .jsp programs.

When a request for the SSI page is sent to the server, if the webpage does not exist, JRUN will put the user's http

The request itself includes returning to the user in the web page. Usually HTTP requests will not have anything, but a malicious user may

Will send a request to the server that includes the SSI directive, which can contain other files in the web directory to come in, so

The hit can get the source code of the web page, such as the following request:

Get /nosuch.shtml http / 1.0

Content LENGTH: 38

You can get the source code of INDEX.JSP.

<* Source: Netcraft Security

Security@netcraft.com)

link:

Http://archives.neohapsis.com/archives/bugtraq/2001-11/0238.html

*>

Suggest:

-------------------------------------------------- ------------------------------

Temporary solution:

If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:

* Forbidden .SHTML mapping, you can implement as follows: For JRun 3.1 and 3.0, the following rows are from / jrun / lib / global.properties file

Remove in the Rules section:

Webapp.servlet-mapping. *. shtml = SSIFILTER

Then add the following to the Rules section of the JRUN / LIB / GLOBAL.PROPERTIES file:

Webapp.servlet-mapping./servlet/allaire.jrun.ssi.ssifilter=xxx

For JRUN 2.3.3, you can use JRun 2.3.3 Administrator to delete .shtml mapping:

Start 2.3.3 Administrator

2. Select the line starting with "JSM-Default"

3. Click the "Configure" button

4. Select the line starting with "jse"

5. Click the "Service Config" button

6. Click the "MAppings" button

7. The line selected in "* .shtml"

8. Click the "DELETE" button

9. Click the "Save" button

10. Repeat 1-9, change "jse" in step 4 to "jseweb"

Vendor patch:

At present, the manufacturer has not provided patch or upgrade procedures. We recommend that users who use this software pay attention to the manufacturer.

Home for getting up-to-date:

http://www.macromedia.com/go/xtraffic_mm_al_software_jrunst/

Allaire Jrun catalogs can be viewed vulnerability

Release Date: 2001-11-28

Update Date: 2001-11-29

Affected system:

Allaire Jrun 3.0

Allaire Jrun 3.1

- Microsoft IIS 4.0

- Microsoft IIS 5.0

description:

-------------------------------------------------- ------------------------------

Macromedia Jrun is an easy-to-use Java application server that is used in conjunction with Web Server programs.

By sending special requests containing the ".jsp" suffix to the web server, JRun can process this request, which allows the attacker to browse all directories under the web root directory.

<* Source: George Hedfors

George.hedfors@defcom.com)

link:

Http://archives.neohapsis.com/archives/bugtraq/2001-11/0240.html

*>

testing method:

-------------------------------------------------- ------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

George Hedfors

George.hedfors@defcom.com offers a loophole

Demo:

Use the following URL to browse to any directory under the web root directory:

http: // [Machine] /?.JSP

http: // [Machine] / [AnyDirectory] /?.JSP

Suggest:

-------------------------------------------------- ------------------------------ Temporary solution:

If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats:

* Close the JRUN directory browsing function, you can implement in JRUN's management interface:

Put JRun Default Server / Web Applications / Default User Application / File Settings / Directory Browsing Allowed

Set to false.

JRun Default Server / Web Applications / JRun Demo / File Settings / Directory Browsing Allowed

Set to false.

Restart the server, the function of this directory browsing is disabled.

Vendor patch:

At present, the manufacturer has not provided patch or upgrade procedures. We recommend that users who use this software pay attention to the manufacturer.

Home for getting up-to-date:

http://www.macromedia.com/go/xtraffic_mm_al_software_jrunst/

JRUN Web Server Web-INF Directory Information Leakage

Release Date: 2001-01-30

Update Date: 2001-01-30

Affected system:

Allaire Jrun 3.0

description:

-------------------------------------------------- ------------------------------

When sending a page request to a JRUN Web Server, a list of directories for web-inflicity may be obtained.

It is also possible to display the contents of the web.xml file in the web-infers.

Under certain conditions, submit a deformed URI request to JRUN 3.0 will return the directory of the web-inflicity

List or web.xml file content

<* Source: vanja hrustic

Vanja@relaygroup.com)

Allaire Security Bulletin (ASB01-02):

Http://www.allaire.com/handlers/index.cfm?id=19546&Method=Full

*>

testing method:

-------------------------------------------------- ------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

For example, submit a similar URL:

http: // jrun_server: 8000 /./ Web-INF /

The list of Web-INFs on the server will leak.

And the following URL will return to the content of the web.xml file:

Http: // jrun_server: 8000 /./ Web-inf / web.xml

Suggest:

-------------------------------------------------- ------------------------------

Vendor patch:

Allaire has released a security announcement and provides patch downloads.

Allaire Security Announcement (ASB01-02)

JRun 3.0: Patch Available for Jrun Malformed URI Web-Inf Directory

Information andweb.xml file Retrieval Issue

http://www.allaire.com/handlers/index.cfm?id=19546&Method=Full patch download:

Windows 95/98 / NT / 2000 and Windows NT Alpha:

http://download.allaire.com/jrun/jrun3.0/jr30sp2.exe

UNIX / Linux Patch - GNU Gzip / Tar:

http://download.allaire.com/jrun/jrun3.0/jr30sp2u.sh

Allaire JRun Servlet deformity request remote denial service attack vulnerability

Release Date: 2000-10-31

Update Date: 2000-10-31

Affected system:

Allaire Jrun 3.0

- IBM AIX 4.3

- IBM AIX 4.2

- Microsoft Windows NT 4.0 SP6A

- Microsoft Windows NT 4.0 SP6

- Microsoft Windows NT 4.0 SP5

- Microsoft Windows NT 4.0 SP4

- Microsoft Windows NT 4.0 SP3

- Microsoft Windows NT 4.0 SP2

- Microsoft Windows NT 4.0 SP1

- Microsoft Windows NT 4.0

- Microsoft Windows 2000 Server SP2

- Microsoft Windows 2000 Server SP1

- Microsoft Windows 2000 Server

- Redhat Linux 6.1

- Redhat Linux 6.0

- SGI IRIX 6.5

SUN Solaris 7.0

SUN Solaris 2.6

description:

-------------------------------------------------- ------------------------------

Bugtraq ID: 2337

Allaire JRun is a web application development kit that includes JSP and Java Servlets. Each web application directory contains a web-inflica, which contains the web application class, precompiled JSP file, the server's library, session information, and such as web.xml and webapp.properties. file.

The JRUN application server has a vulnerability when dealing with malformation, and the remote attacker may use this vulnerability to deny the service attack on the server.

Sending multiple malformation requests to JRun's servlets that causes the application server to stop responding to deny service attacks.

<* Source: ALLAIRE Security Bulleti

link:

http://www.fusionauthority.com/Article.cfm?articleid=740

Http://www.foundstone.com/knowledge/randd-advisories-display.html?id=237

*>

testing method:

-------------------------------------------------- ------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

Foundstone provides the following test methods:

http: // target / servlet / ........... (mu "." s)

Suggest:

-------------------------------------------------- ------------------------------ Manufacturer patch:

ALAIRE

-------

Allaire has released a security announcement (ASB00-30) and corresponding patches:

ASB00-30: JRUN 3.0: Patch Available for "Multiple.'S Denial of Service" Issue

link:

Patch download:

Allaire JRun 3.0:

Allaire Patch TrailingDots.zip

http://download.allaire.com/patches/trailingDots.zip

Allaire Patch TrailingDots.tgz

http://download.allaire.com/patches/trailingdots.tgz

ALAIRE JRUN 3.0 Leakage Catalog Vulnerability

Release Date: 2000-10-25

Update Date: 2000-10-25

Affected system:

Allaire Jrun 3.0

SUN Solaris 7.0

SUN Solaris 2.6

- SGI IRIX 6.5

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.1 i386

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.0 SPARC

- Redhat linux 6.0 i386

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows NT 4.0

- Microsoft Windows NT 2000

- IBM AIX 4.3

- IBM AIX 4.2

description:

-------------------------------------------------- ------------------------------

Allaire JRun is a web application development kit that includes JSP and Java Servlets. Each web application directory contains a web-inflica, which contains the web application class, precompiled JSP file, the server's library, session information, and such as web.xml and webapp.properties. file.

JRUN includes a vulnerability that allows remote users to view the contents of the web-INF directory, exposed all subdirectories in the web-inflicity by requested a malformed URL consisting of additional "/".

Successfully use this vulnerability to cause remote intruders to obtain read rights of any files in the web-inf directory.

<* Source: Foundstone Labs

Labs@foundstone.com) *>

testing method:

-------------------------------------------------- ------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

Use the following URL:

http: // target // Web-INF /

Suggest:

-------------------------------------------------- ------------------------------

Vendor patch:

Allaire has released the following patch to eliminate the vulnerability:

Allaire JRun 3.0:

Allaire Patch Extraslasheshttp: //download.allaire.com/jrun/jrun3.0/extraslashes.zip

Windows 95/98 / NT / 2000 and Windows NT Alpha

Allaire Patch Extraslashes.tar

http://download.allaire.com/jrun/jrun3.0/extraslashes.tar.gz

Allaire JRun 2.3 Directory Traversal Vulnerability

Release Date: 2000-10-25

Update Date: 2000-10-25

Affected system:

Allaire Jrun 2.3.x

SUN Solaris 7.0

SUN Solaris 2.6

- SGI IRIX 6.5

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.1 i386

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.0 SPARC

- Redhat linux 6.0 i386

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows NT 4.0

- Microsoft Windows NT 2000

- IBM AIX 4.3

- IBM AIX 4.2

description:

-------------------------------------------------- ------------------------------

Allaire JRun is a JSP and Java Servlets development kit. It exists a vulnerability allows remote users to access

Files outside the WWW root directory. Use SSIFILTER Servlet in this malicious URL request and combined

"../" technology. SSIFILTER Servlet does not check the access path legality at this time.

<* Source: Foundstone Labs

Labs@foundstone.com) *>

testing method:

-------------------------------------------------- ------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

http: //target/servlet/com.livesoftware.jrun.plugins.ssi.ssifilter/../../path/to/otgpdvt/filename

http://target/servlet/ssifilter/../../path/to/otgpdvt/filename

Suggest:

-------------------------------------------------- ------------------------------

Allaire provides a patch:

Allaire Jrun 2.3.x:

Allaire Patch JR233P_ASB00_28_29

http://download.allaire.com/jrun/jr233p_asb00_28_29.zip

Windows 95/98 / NT / 2000 and Windows NT Alpha

Allaire Patch JR233P_ASB00_28_29TAR

http://download.allaire.com/jrun/jr233p_asb00_28_29.tar.gz

UNIX / Linux Patch - GNU Gzip / Tar

Allaire JRun 2.3 remote execution arbitrary code

Release Date: 2000-10-25

Update Date: 2000-10-25 Affected System:

Allaire Jrun 2.3.x

SUN Solaris 7.0

SUN Solaris 2.6

- SGI IRIX 6.5

- Redhat Linux 6.1 SPARC

- Redhat Linux 6.1 i386

- Redhat Linux 6.1 Alpha

- Redhat Linux 6.0 SPARC

- Redhat linux 6.0 i386

- Microsoft Windows 98

- Microsoft Windows 95

- Microsoft Windows NT 4.0

- Microsoft Windows NT 2000

- IBM AIX 4.3

- IBM AIX 4.2

description:

-------------------------------------------------- ------------------------------

There is a vulnerability in JRUN, allowing remote users to use any files located on the file system in WWW services.

JSP code compile / execution. If the target file path of the URL request appears / servlet /, JSP interpretation is executed

The line function is activated. If you use "../" technology in the target file path requested by the user, it is possible to access it.

File outside the WWW root directory. The requested file is interpreted as a JSP script, if the user can department

Depending on the input to generate a file, and can use the above vulnerabilities to request the file, will seriously threaten the target system security

Sex.

<* Source: Foundstone Labs

Labs@foundstone.com) *>

testing method:

-------------------------------------------------- ------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

Http://target/servlet/com.livesoftware.jrun.plugins.jsp.jsp/00../path/to/otgpdvt/filename

http: //target/servlet/jsp/../../path/to/otgpdvt/filename

Suggest:

-------------------------------------------------- ------------------------------

Allaire announced the following patch:

Allaire Jrun 2.3.x:

Allaire Patch JR233P_ASB00_28_29

http://download.allaire.com/jrun/jr233p_asb00_28_29.zip

Windows 95/98 / NT / 2000 and Windows NT Alpha

Allaire Patch JR233P_ASB00_28_29TAR

http://download.allaire.com/jrun/jr233p_asb00_28_29.tar.gz

UNIX / Linux Patch - GNU Gzip / Tar

Allaire JRun 2.3.x Example File Vulnerability

Release Date: 2000-06-23

Update Date: 2000-06-23

Affected system:

Allaire Jrun 2.3.x

SUN Solaris 7.0

SUN Solaris 2.6

- SGI IRIX 6.5

- Redhat Linux 6.x

- Microsoft Windows 9X

- Microsoft Windows NT 4.0

- Microsoft Windows NT 2000- IBM AIX 4.x

description:

-------------------------------------------------- ------------------------------

Allaire JRun 2.3.x When you installed some tutorials, sample code, and applications

On the server, some sensitive information of the leak server may result, such as a system configuration or execution of certain commands, etc.

Wait. These examples of existing security issues should be handled manually.

<* Source: Allaire Security Bulletin (ASB00-15) *>

testing method:

-------------------------------------------------- ------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

E.g:

1) Access

Http: // target / servlet / sessionservlet will display all the ID numbers of all current HTTP sessions.

2) ViewSource.jsp default does not have a prohibition path check, which may allow remote users to view any files on the server.

Suggest:

-------------------------------------------------- ------------------------------

Allaire will solve this problem in the new JRUN version 2.3.3, which will be released later this year.

Temporary solution:

Delete all documents, sample code, examples, and tutorials from the server, and files that should be deleted in the following directory:

JRUN_HOME / Servlets

JRUN_HOME / JSM-DEFAULT / Services / JWS / HTDOCS

About deleting a more detailed introduction of a document, you can see the following address:

http://www.allaire.com/handlers/index.cfm?id=16258&Method=Full

转载请注明原文地址:https://www.9cbs.com/read-121052.html

New Post(0)