Allaire Jrun "jsessionID" information leak vulnerability
Release Date: 2001-12-6
Affected system: Allaire Jrun 3.0
- IBM AIX 4.2
- IBM AIX 4.3
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 2000
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000 SP2
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0Sp1
- Microsoft Windows NT 4.0SP2
- Microsoft Windows NT 4.0SP3
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0sp6
- Microsoft Windows NT 4.0SP6A
- Redhat Linux 6.0 i386
- Redhat Linux 6.0 SPARC
- Redhat Linux 6.1 alpha
- Redhat Linux 6.1 i386
- Redhat Linux 6.1 SPARC
- SGI Irix 6.5
- Sun Solaris 2.6
- Sun Solaris 7.0
Allaire Jrun 3.1
- IBM AIX 4.2
- IBM AIX 4.3
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 2000
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000 SP2
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0Sp1
- Microsoft Windows NT 4.0SP2
- Microsoft Windows NT 4.0SP3
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0SP5
- Microsoft Windows NT 4.0sp6
- Microsoft Windows NT 4.0SP6A
- Redhat Linux 6.0 alpha
- Redhat Linux 6.0 i386
- Redhat Linux 6.0 SPARC
- Redhat Linux 6.1 alpha
- Redhat Linux 6.1 i386
- Redhat Linux 6.1 SPARC
- SGI Irix 6.5
- Sun Solaris 7.0
- Sun Solaris 8.0
Description:
-------------------------------------------------- ------------------------------
Bugtraq ID: 3665
JRUN is a JSP server published by Allaire.
There is a security issue in this software, which may cause sensitive information disclosure.
When the user accesses JRUN-based sites, it will get a session ID, and under certain conditions, this
The session ID is attached to the URL, which can cause this information to leak.
<* Source: Macromedia Security Alert (newsflash@macromedia.com)
link
http://archives.neohapsis.com/archives/bugtraq/2001-12/0091.html <; br>
http://www.allaire.com/handlers/index.cfm?id=22266&Method=FULLF
*>
-------------------------------------------------- ------------------------------
Suggestion:
Temporary solution:
If you cannot install patch or upgrade immediately, NSFOCUS recommends that you take the following measures to reduce threats:
* Temporarily use other secure JSP servers, such as Apache Tomcat, etc.
Vendor patch:
At present, manufacturers have released patches to fix this security problem, please go to the manufacturer's homepage:
Allaire JRun 3.0:
Macromedia Patch JRun Win32 JR30SP2_25232.EXE
http://download.allaire.com/publicddl/en/jrun/30/jr30sp2_25232.exe
Macromedia Upgrade JRun Unix JR30SP2U_25232.SH
Http://download.allaire.com/publicddl/en/jrun/30/jr30sp2u_25232.sh
Allaire Jrun 3.1:
Macromedia Patch JRun Win32 JRUN-31-Win-Upgrade-US_26414.EXE
Http://download.allaire.com/publicddl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe
Macromedia Upgrade Jrun Unix-31-Unix-Upgrade-us_26414.sh
http://download.allaire.com/publicddl/en/jrun/31/jrun-31-unix-Upgrade-us_26414.sh
