[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Allaire's JRUN DoS

Title: Allaire's JRUN DoS
Released by: Foundstone
Date: 1st November 2000
Printable version: Click here
                            Foundstone, Inc.


                      "Securing the Dot Com World"

                           Security Advisory

                           Allaire's JRUN DoS


FS Advisory ID:         FS-110100-17-JRUN

Release Date:           November 1, 2000

Product:                JRun 3.0

Vendor:                 Allaire Inc. (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security/

Type:                   Denial of Service attack

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Saumil Shah (saumil.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems

Vulnerable versions:    JRun 3.0

Foundstone Advisory:




        A denial of service vulnerability exists within the Allaire

        JRun 3.0 web application server which allows an attacker to

        bring down the JRun application server engine.


        JRun3.0 is a Java application server, supporting Java Server

        Pages, Java servlets and other Java related technologies. The

        /servlet URL prefix is mapped as a handler for invoking


        Servlets are stored in a hierarchical manner and are accessed

        via a naming convention of the type:

           .. ... .

        Hence if a servlet called test is stored under com/site/test,

        it is invoked by the URL:


        If a large string of dots is placed after the /servlet/ URL

        prefix, such as:


           (hundreds of "."s)

        it gets interpreted as a very large tree of non-existent

        directories when looking for the servlet. This causes the

        JRun server engine to temporarily consume system resources at

        a high priority, and brings about a temporary denial of

        services for the JRun server engine. Other services do not

        get affected.

        If many such URL requests are made, the JRun server engine

        (specifically the javaw process) does not recover. All

        other JRun dependent requests get denied.

Proof of concept

        From a browser, make the following URL request:

        http://site.running.jrun/servlet/........... (many "."s)


        Follow the recommendations given in Allaire Security Bulletin

        ASB00-30, available at: http://www.allaire.com/security/


        We would also like to thank Allaire Inc. for their prompt

        reaction to this problem and their co-operation in heightening

        security awareness in the security community.


        The information contained in this advisory is the copyright (C)

        2000 of Foundstone, Inc. and believed to be accurate at the time

        of printing, but no representation or warranty is given, express

        or implied, as to its accuracy or completeness. Neither the

        author nor the publisher accepts any liability whatsoever for

        any direct, indirect or conquential loss or damage arising in

        any way from any use of, or reliance placed on, this information

        for any purpose. This advisory may be redistributed provided that

        no fee is assigned and that the advisory is not modified in any


(C) 1999-2000 All rights reserved.