Bugtraq mailing list archives
Re: def-2001-32 - Allaire JRun directory browsing vulnerability
From: David Walker <bugtraq () grax com>
Date: Sat, 1 Dec 2001 19:32:53 -0600
The most likely cause of this behavior has to do with the character code to URL conversion. The web server converts "/%3f.jsp" to "/?.jsp". Since the character is encoded it is assumed to be a legitimate part of the filename. Then the URL "/?.jsp" is passed to JRun which sees it as a request for "/" with a query string of ".jsp". This type of bug could be used to produce other unexpected behavior. A request for "/myfile.htm%3f.jsp" could possibly result in the JRun serving /myfile.htm rather than the web server. I don't use JRun so I have no way of knowing if any of this unexpected behavior happens or might be dangerous. This type of bug may be discovered in other products that depend on file extensions and parse the query string themselves rather than depending on the query string the web server sets. A similar exploit was discovered earlier this year with IIS and .htr files. On Friday 30 November 2001 02:31 pm, Johan Burati wrote:
JRUN 3.0 with Netscape-Enterprise/4.1 running on HPUX is vulnerable too. Regards, Johan Burati -----Original Message----- From: Felix Huber [mailto:huberfelix () webtopia de] Sent: Friday, November 30, 2001 12:09 AM To: bugtraq () securityfocus com Cc: Stephen Dupre Subject: Re: def-2001-32 - Allaire JRun directory browsing vulnerabilityhttp://www.victim.com/%3f.jspNot only IIS is affected, i found vulnerable Sites running Apache 1.3.19/Solaris and Apache 1.3.12/Linux.I just got a mail from Stephen Dupre (Macromedia), he helped me a lot to bring light in this thing. JRun seems to be fine on Solaris/Linux/HPUX (but he still investigates this). You can find the Macromedia Advisory here: http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full The problem on the other sites seems to be mod_jk/mod_rewrite or Jserv (Apache.org is contacted). But it's still unclear at the moment what causes this behavior (Directory Listing). Simply use the NASL File from my last Mail, it will work in any case. At the moment even a large german Webhoster running Linux is vulnerable to this. Regards, Felix Huber ------------------------------------------------------- Felix Huber, Security Consultant, Webtopia Guendlinger Str.2, 79241 Ihringen - Germany huberfelix () webtopia de (07668) 951 156 (phone) http://www.webtopia.de (07668) 951 157 (fax) (01792) 205 724 (mobile) -------------------------------------------------------
Current thread:
- RE: def-2001-32 - Allaire JRun directory browsing vulnerability Johan Burati (Dec 01)
- Re: def-2001-32 - Allaire JRun directory browsing vulnerability David Walker (Dec 03)