[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Allaire JRUN 2.3 Unauthenticated Access to WEB-INF directory

Title: Allaire JRUN 2.3 Unauthenticated Access to WEB-INF directory
Released by: Foundstone
Date: 23rd October 2000
Printable version: Click here
                            Foundstone, Inc.


                      "Securing the Dot Com World"

                           Security Advisory

                             Allaire's JRUN


FS Advisory ID:         FS-102300-12-JRUN

Release Date:           October 23, 2000

Product:                JRun 3.0

Vendor:                 Allaire Inc. (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security/

Type:                   Unauthenticated Access to WEB-INF directory

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Saumil Shah (saumil.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems

Vulnerable versions:    JRun 3.0

Foundstone Advisory:




        A severe security flaw exists with Allaire's JRun 3.0 allowing

        an attacker to access WEB-INF directories on the JRun 3.0

        server. The WEB-INF directory tree contains web application

        classes, pre-compiled JSP files, server side libraries,

        session information and files such as web.xml and



        JRun 3.0 can be made to run as a stand-alone web server on

        port 8100. The directory /servers/default

        holds different web applications hosted in it.

        The directory /servers/default/default-app

        is the web document root for the default web application. This

        application is mapped to http://site.running.jrun:8100/, if

        accesed via a web browser.

        Other web application directories are set up in a similar

        manner as follows:


           /servers/default/app2 ... etc.

        Their URLs would be mapped as:



        and so on, depending on the configuration.

        Each web application directory contains a WEB-INF directory

        tree which contains configuration files, server side

        components, libraries and other application related

        information. This directory is not visible to the client. If

        the WEB-INF directory is requested by a web browser by the

        following URL:


        the server responds with a 403 Forbidden error code. However

        it is possible to access this directory via the following URL:


        This causes the entire directory tree under WEB-INF to be

        displayed and eventually files under this directory can be

        accessed. For example:



        would allow remote attackers to view the web.xml and

        webapp.properties in the WEB-INF directory. Attackers can also

        access critical resources such as class files, session

        information, etc.

Proof of concept

        Prefixing the path to WEB-INF by / in the URL causes the

        directory structure within WEB-INF to be displayed.



        Follow the recommendations given in Allaire Security Bulletin

        ASB00-27, available at: http://www.allaire.com/security/


        We would also like to thank Allaire Inc. for their prompt

        reaction to this problem and their co-operation in heightening

        security awareness in the security community.


        The information contained in this advisory is the copyright (C)

        2000 of Foundstone, Inc. and believed to be accurate at the time

        of printing, but no representation or warranty is given, express

        or implied, as to its accuracy or completeness. Neither the

        author nor the publisher accepts any liability whatsoever for

        any direct, indirect or conquential loss or damage arising in

        any way from any use of, or reliance placed on, this information

        for any purpose. This advisory may be redistributed provided that

        no fee is assigned and that the advisory is not modified in any


(C) 1999-2000 All rights reserved.