[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Allaire JRUN 2.3 Unauthenticated Access to WEB-INF directory

Title: Allaire JRUN 2.3 Unauthenticated Access to WEB-INF directory
Released by: Foundstone
Date: 23rd October 2000
Printable version: Click here
                            Foundstone, Inc.

                        http://www.foundstone.com

                      "Securing the Dot Com World"



                           Security Advisory



                             Allaire's JRUN



----------------------------------------------------------------------

FS Advisory ID:         FS-102300-12-JRUN



Release Date:           October 23, 2000



Product:                JRun 3.0



Vendor:                 Allaire Inc. (http://www.allaire.com)



Vendor Advisory:        http://www.allaire.com/security/



Type:                   Unauthenticated Access to WEB-INF directory



Severity:               High



Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Saumil Shah (saumil.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)



Operating Systems:      All operating systems



Vulnerable versions:    JRun 3.0



Foundstone Advisory:

http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13

----------------------------------------------------------------------



Description



        A severe security flaw exists with Allaire's JRun 3.0 allowing

        an attacker to access WEB-INF directories on the JRun 3.0

        server. The WEB-INF directory tree contains web application

        classes, pre-compiled JSP files, server side libraries,

        session information and files such as web.xml and

        webapp.properties.



Details



        JRun 3.0 can be made to run as a stand-alone web server on

        port 8100. The directory /servers/default

        holds different web applications hosted in it.



        The directory /servers/default/default-app

        is the web document root for the default web application. This

        application is mapped to http://site.running.jrun:8100/, if

        accesed via a web browser.



        Other web application directories are set up in a similar

        manner as follows:



           /servers/default/app1

           /servers/default/app2 ... etc.



        Their URLs would be mapped as:



           http://site.running.jrun:8100/app1,

           http://site.running.jrun:8100/app2,...



        and so on, depending on the configuration.



        Each web application directory contains a WEB-INF directory

        tree which contains configuration files, server side

        components, libraries and other application related

        information. This directory is not visible to the client. If

        the WEB-INF directory is requested by a web browser by the

        following URL:



           http://site.running.jrun:8100/WEB-INF/



        the server responds with a 403 Forbidden error code. However

        it is possible to access this directory via the following URL:



           http://site.running.jrun:8100//WEB-INF/



        This causes the entire directory tree under WEB-INF to be

        displayed and eventually files under this directory can be

        accessed. For example:



           http://site.running.jrun:8100//WEB-INF/web.xml

           http://site.running.jrun:8100//WEB-INF/webapp.properties



        would allow remote attackers to view the web.xml and

        webapp.properties in the WEB-INF directory. Attackers can also

        access critical resources such as class files, session

        information, etc.



Proof of concept



        Prefixing the path to WEB-INF by / in the URL causes the

        directory structure within WEB-INF to be displayed.



        http://site.running.jrun:8100//WEB-INF/



Solution



        Follow the recommendations given in Allaire Security Bulletin

        ASB00-27, available at: http://www.allaire.com/security/



Credits



        We would also like to thank Allaire Inc. for their prompt

        reaction to this problem and their co-operation in heightening

        security awareness in the security community.



Disclaimer



        The information contained in this advisory is the copyright (C)

        2000 of Foundstone, Inc. and believed to be accurate at the time

        of printing, but no representation or warranty is given, express

        or implied, as to its accuracy or completeness. Neither the

        author nor the publisher accepts any liability whatsoever for

        any direct, indirect or conquential loss or damage arising in

        any way from any use of, or reliance placed on, this information

        for any purpose. This advisory may be redistributed provided that

        no fee is assigned and that the advisory is not modified in any

        way.








(C) 1999-2000 All rights reserved.