Allaire jrun directory traversal vulnerability
Release Date: 2001-12-6 Updated: 2001-12-18 Affected System: Allaire Jrun 2.3.3Allaire JRun 3.0- IBM AIX 4.2- IBM AIX 4.3- Microsoft Windows 95- Microsoft Windows 98- Microsoft Windows 2000- Microsoft Windows 2000 SP1- Microsoft Windows 2000 SP2- Microsoft Windows NT 4.0- Microsoft Windows NT 4.0SP1- Microsoft Windows NT 4.0SP2- Microsoft Windows NT 4.0SP3- Microsoft Windows NT 4.0SP4- Microsoft Windows NT 4.0SP6- Microsoft Windows NT 4.0SP6a- RedHat Linux 6.0 i386- RedHat Linux 6.0 sparc- RedHat Linux 6.1 alpha- RedHat Linux 6.1 i386- RedHat Linux 6.1 sparc- SGI IRIX 6.5- Sun Solaris 2.6- Sun Solaris 7.0Allaire JRun 3.1- IBM AIX 4.2- IBM AIX 4.3- Microsoft Windows 95- Microsoft Windows 98- Microsoft Windows 2000- Microsoft Windows 2000 SP1- Microsoft Windows 2000 SP2- Microsoft Windows NT 4.0- Microsoft Windows NT 4.0SP1- Microsoft Windows NT 4.0SP2- Microsoft Windows NT 4.0SP3- Microsoft Windows NT 4.0SP4- Microsoft Windows NT 4.0SP5- Microsoft Windows NT 4.0SP6- Microsoft Windows NT 4.0sp6a- Redhat Linu x 6.0 Alpha- Redhat Linux 6.0 i386- Redhat Linux 6.0 SPARC- Redhat Linux 6.1 Alpha- Redhat Linux 6.1 i386- Redhat Linux 6.1 SPARC- SGI IRIX 6.5- Sun Solaris 7.0- Sun Solaris 8.0 Description: ------------ -------------------------------------------------- ---------------------- Bugtraq ID: 3666jrun is a JSP server published by Allaire. There is a security issue in this software, which may cause the directory to traverse the entire file system. Since JRUN does not have the correct path identifier, the remote attacker can pass "../" traverse the entire file system.
