Re: def-2001-32

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 11/29/01

Previous message: Junius, Martin: "RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability"
In reply to: George Hedfors: "def-2001-32"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Nov 2001 15:28:03 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <13416919168.20011129152803@SECURITY.NNOV.RU>
To: "George Hedfors" <george.hedfors@defcom.com>
Subject: Re: def-2001-32

Hello George,

This is probably a problem of poor IIS configuration. Open properties
for default web server, Home Directory, Configuration. Open properties
for .jsp extension and assume "Check that file exists" option is
selected.

It's quite common problem for all CGI/ISAPI applications.

--Wednesday, November 28, 2001, 2:54:46 PM, you wrote to bugtraq@securityfocus.com:

GH> ======================================================================
GH> Defcom Labs Advisory def-2001-32

GH> Allaire JRun directory browsing vulnerability

GH> Author: George Hedfors <george.hedfors@defcom.com>
GH> Release Date: 2001-11-28
GH> ======================================================================
GH> ------------------------=[Brief Description]=-------------------------
GH> Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a
GH> problem handling malformed URLs. This allows a remote user to browse
GH> the file system under the web root (normally \inetpub\wwwroot).
GH> ------------------------=[Affected Systems]=--------------------------
GH> Under Windows NT/2000(any service pack) and IIS 4.0/5.0:
GH> - JRun 3.0 (all editions)
GH> - JRun 3.1 (all editions)
GH> ----------------------=[Detailed Description]=------------------------
GH> Upon sending a specially formed request to the web server, containing
GH> a '.jsp' extension makes the JRun handle the request. Example:

GH> http://www.victim.com/%3f.jsp

GH> This vulnerability allows anyone with remote access to the web server
GH> to browse it and any directory within the web root.

GH> ---------------------------=[Workaround]=-----------------------------
GH> From Macromedia Product Security Bulletin (MPSB01-13)
GH> http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full

GH> Macromedia recommends, as a best practice, turning off directory
GH> browsing for the JRun Default Server in the following applications:

GH> - Default Application (the application with '/' mapping that causes
GH> the security problem)

GH> - Demo Application
GH> Also, make sure any newly created web application that uses the "/"
GH> mapping has directory browsing off.

GH> The changes that need to be made in the JRun Management Console or JMC:

GH> - JRun Default Server/Web Applications/Default User Application/File
GH> Settings/Directory Browsing Allowed set to FALSE.
GH> - JRun Default Server/Web Applications/JRun Demo/File Settings/
GH> Directory Browsing Allowed set to FALSE.

GH> Restart the servers after making the changes and the %3f.jsp request
GH> should now return a 403 forbidden. When this bug is fixed, the request
GH> (regardless of directory browsing setting) should return a "404 page
GH> not found".

GH> The directory browsing property is called [file.browsedirs]. Changing
GH> the property via the JMC will cause the following changes:
GH> JRun 3.0 will write [file.browsedirs=false] in the local.properties
GH> file. (server-wide change)
GH> JRun 3.1 will write [file.browsedirs=false] in the webapp.properties
GH> of the application.

GH> -----------------------------=[Exploit]=------------------------------
GH> http://[machine]/%3f.jsp
GH> http://[machine]/[anydirectory]/%3f.jsp

GH> -------------------------=[Vendor Response]=--------------------------
GH> This issue was brought to the vendors attention on the 6th of
GH> November, 2001. Workaround:
GH> Macromedia Product Security Bulletin (MPSB01-13)
GH> http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full

GH> ======================================================================
GH> This release was brought to you by Defcom Labs

GH> labs@defcom.com http://labs.defcom.com
GH> ======================================================================

-- 
~/ZARAZA
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)

Previous message: Junius, Martin: "RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability"
In reply to: George Hedfors: "def-2001-32"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: download an image and save locally
... a web server is similar to a file server in that it can fetch files ... that, in order to request a file, you have to know the file name. ... although you can configure the web server to not allow directory browsing. ... Set up a loop to attempt to download all combinations of possible file ...
(microsoft.public.dotnet.framework.aspnet)
Re: Read-only/hidden directories
... > An associate mentioned that I could further protect my private website by ... and disallowing visitors to browse my directories. ... To the folder that houses my web server? ... Other Web servers let you turn on directory browsing on ...
(comp.security.firewalls)
Re: Read-only/hidden directories
... > An associate mentioned that I could further protect my private website by ... and disallowing visitors to browse my directories. ... To the folder that houses my web server? ... Other Web servers let you turn on directory browsing on ...
(comp.security.firewalls)