[NT] Allaire JRun Directory Browsing Vulnerability
From: support@securiteam.comDate: 12/03/01
- Previous message: support@securiteam.com: "[UNIX] TWIG Default Configurations May Lead to Insecure Auth-cookie Password Storage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 3 Dec 2001 09:20:18 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Allaire JRun Directory Browsing Vulnerability
------------------------------------------------------------------------
SUMMARY
Allaire JRun 3.0/3.1 under Microsoft IIS 4.0/5.0 (Apache may also be
vulnerable) has a problem handling malformed URLs. This allows a remote
user to browse the file system under the web root (normally
\inetpub\wwwroot).
DETAILS
Vulnerable systems:
JRun version 3.0
JRun version 3.1
Upon sending a specially formed request to the web server, containing a
'.jsp' extension makes the JRun handle the request. Example:
http://www.example.com/%3f.jsp
This vulnerability allows anyone with remote access to the web server to
browse it and any directory within the web root.
Workaround:
From Macromedia Product Security Bulletin (
<http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full>
MPSB01-13)
Macromedia recommends, as a best practice, turning off directory browsing
for the JRun Default Server in the following applications:
- Default Application
(the application with '/' mapping that causes the security problem)
- Demo Application
Also, make sure any newly created web application that uses the "/"
mapping has directory browsing off.
The changes that need to be made in the JRun Management Console or JMC:
- JRun Default Server/Web Applications/Default User Application/File
Settings/Directory Browsing Allowed set to FALSE.
- JRun Default Server/Web Applications/JRun Demo/File Settings/Directory
Browsing Allowed set to FALSE.
Restart the servers after making the changes and the %3f.jsp request
should now return a 403 forbidden. When this bug is fixed, the request
(regardless of directory browsing setting) should return a "404 page not
found".
The directory browsing property is called [file.browsedirs]. Changing the
property via the JMC will cause the following changes:
JRun 3.0 will write [file.browsedirs=false] in the local.properties file.
(server-wide change)
JRun 3.1 will write [file.browsedirs=false] in the webapp.properties of
the application.
ADDITIONAL INFORMATION
The information has been provided by <mailto:george.hedfors@defcom.com>
George Hedfors.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] TWIG Default Configurations May Lead to Insecure Auth-cookie Password Storage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
