Re: def-2001-32 - Allaire JRun directory browsing vulnerability

[David Walker <bugtraq () grax com>]

The most likely cause of this behavior has to do with the character code to 
URL conversion.
The web server converts "/%3f.jsp" to "/?.jsp".  Since the character is 
encoded it is assumed to be a legitimate part of the filename.  
Then the URL "/?.jsp" is passed to JRun which sees it as a request for "/" 
with a query string of ".jsp".

This type of bug could be used to produce other unexpected behavior.
A request for "/myfile.htm%3f.jsp" could possibly result in the JRun serving 
/myfile.htm rather than the web server.  I don't use JRun so I have no way of 
knowing if any of this unexpected behavior happens or might be dangerous.

This type of bug may be discovered in other products that depend on file 
extensions and parse the query string themselves rather than depending on the 
query string the web server sets.

A similar exploit was discovered earlier this year with IIS and .htr files.

On Friday 30 November 2001 02:31 pm, Johan Burati wrote:
> JRUN 3.0 with Netscape-Enterprise/4.1 running on HPUX is vulnerable too.
>
> Regards,
> Johan Burati
>
> -----Original Message-----
> From: Felix Huber [mailto:huberfelix () webtopia de]
> Sent: Friday, November 30, 2001 12:09 AM
> To: bugtraq () securityfocus com
> Cc: Stephen Dupre
> Subject: Re: def-2001-32 - Allaire JRun directory browsing vulnerability
>
> > > http://www.victim.com/%3f.jsp
> >
> > Not only IIS is affected, i found vulnerable Sites running Apache
> > 1.3.19/Solaris and Apache 1.3.12/Linux.
>
> I just got a mail from Stephen Dupre (Macromedia), he helped me a lot to
> bring light in this thing. JRun seems to be fine on Solaris/Linux/HPUX (but
> he still investigates this). You can find the Macromedia Advisory here:
> http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full
>
> The problem on the other sites seems to be mod_jk/mod_rewrite or Jserv
> (Apache.org is contacted). But it's still unclear at the moment what causes
> this behavior (Directory Listing).
>
> Simply use the NASL File from my last Mail, it will work in any case. At
> the moment even a large german Webhoster running Linux is vulnerable to
> this.
>
>
> Regards,
> Felix Huber
>
>
> -------------------------------------------------------
> Felix Huber, Security Consultant, Webtopia
> Guendlinger Str.2, 79241 Ihringen - Germany
> huberfelix () webtopia de     (07668)  951 156 (phone)
> http://www.webtopia.de     (07668)  951 157 (fax)
>                                          (01792)  205 724 (mobile)
> -------------------------------------------------------