[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Allaire JRUN 2.3 Vulnerability

Title: Allaire JRUN 2.3 Vulnerability
Released by: Foundstone
Date: 23rd October 2000
Printable version: Click here
                            Foundstone, Inc.


                      "Securing the Dot Com World"

                           Security Advisory

                           Allaire JRUN 2.3


FS Advisory ID:         FS-102300-13-JRUN

Release Date:           October 23, 2000

Product:                Allaire JRUN 2.3

Vendor:                 Allaire Inc. (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security/

Type:                   Arbitrary File Retrieval

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Saumil Shah (saumil.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems supported by JRUN

Vulnerable versions:    JRUN Server v2.3

Foundstone Advisory:




        Multiple show code vulnerabilities exist in Allaire's JRUN

        Server 2.3 allowing an attacker to view the source code of any

        file within the web document root of the web server.

        Using the same vulnerability, it is also possible to retrieve

        arbitrary files that lie outside the web document root on the

        host operating system's file system.


        JRun 2.3 uses Java Servlets to handle parsing of various types

        of pages (for example, HTML, JSP, etc). Based on the settings

        in the rules.properties and servlets.properties files, it is

        possible to invoke any servlet using the URL prefix


        It is possible to use JRun's SSIFilter servlet to retrieve

        arbitrary files on the target system. The following two

        examples show the URLs that can be used to retrieve any

        arbitrary files:










        Note: It is assumed that JRun runs on host "jrun", port 8000.


        Follow the recommendations given in Allaire Security Bulletin

        ASB00-28, available at: http://www.allaire.com/security/


        We would also like to thank Allaire for their prompt reaction

        to this problem and their co-operation in heightening

        security awareness in the security community.


        The information contained in this advisory is the copyright

        (C) 2000 of Foundstone, Inc. and believed to be accurate at

        the time of printing, but no representation or warranty is

        given, express or implied, as to its accuracy or completeness.

        Neither the author nor the publisher accepts any liability

        whatsoever for any direct, indirect or conquential loss or

        damage arising in any way from any use of, or reliance placed

        on, this information for any purpose. This advisory may be

        redistributed provided that no fee is assigned and that the

        advisory is not modified in any way.

(C) 1999-2000 All rights reserved.