def-2001-32

From: George Hedfors (george.hedfors@defcom.com)
Date: 11/28/01


From: "George Hedfors" <george.hedfors@defcom.com>
To: <bugtraq@securityfocus.com>
Subject: def-2001-32
Date: Wed, 28 Nov 2001 12:54:46 +0100
Message-ID: <PKEMKDGKMFGJMOHGPHFPEEBGCAAA.george.hedfors@defcom.com>


======================================================================
                  Defcom Labs Advisory def-2001-32

            Allaire JRun directory browsing vulnerability

Author: George Hedfors <george.hedfors@defcom.com>
Release Date: 2001-11-28
======================================================================
------------------------=[Brief Description]=-------------------------
Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a
problem handling malformed URLs. This allows a remote user to browse
the file system under the web root (normally \inetpub\wwwroot).
------------------------=[Affected Systems]=--------------------------
Under Windows NT/2000(any service pack) and IIS 4.0/5.0:
- JRun 3.0 (all editions)
- JRun 3.1 (all editions)
----------------------=[Detailed Description]=------------------------
Upon sending a specially formed request to the web server, containing
a '.jsp' extension makes the JRun handle the request. Example:

http://www.victim.com/%3f.jsp

This vulnerability allows anyone with remote access to the web server
to browse it and any directory within the web root.

---------------------------=[Workaround]=-----------------------------
From Macromedia Product Security Bulletin (MPSB01-13)
http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full

Macromedia recommends, as a best practice, turning off directory
browsing for the JRun Default Server in the following applications:

- Default Application (the application with '/' mapping that causes
  the security problem)

- Demo Application
  Also, make sure any newly created web application that uses the "/"
  mapping has directory browsing off.

The changes that need to be made in the JRun Management Console or JMC:

- JRun Default Server/Web Applications/Default User Application/File
  Settings/Directory Browsing Allowed set to FALSE.
- JRun Default Server/Web Applications/JRun Demo/File Settings/
  Directory Browsing Allowed set to FALSE.

Restart the servers after making the changes and the %3f.jsp request
should now return a 403 forbidden. When this bug is fixed, the request
(regardless of directory browsing setting) should return a "404 page
not found".

The directory browsing property is called [file.browsedirs]. Changing
the property via the JMC will cause the following changes:
JRun 3.0 will write [file.browsedirs=false] in the local.properties
file. (server-wide change)
JRun 3.1 will write [file.browsedirs=false] in the webapp.properties
of the application.

-----------------------------=[Exploit]=------------------------------
http://[machine]/%3f.jsp
http://[machine]/[anydirectory]/%3f.jsp

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 6th of
November, 2001. Workaround:
Macromedia Product Security Bulletin (MPSB01-13)
http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full

======================================================================
            This release was brought to you by Defcom Labs

          labs@defcom.com http://labs.defcom.com
======================================================================



Relevant Pages