wp-02-0009: Macromedia JRun Admin Server Authentication Bypass

[Matt Moore <matt () westpoint ltd uk>]

Westpoint Security Advisory

Title:         Macromedia JRun Admin Server Authentication Bypass
Risk Rating:    Medium
Software:     Macromedia JRun
Platforms:    WinNT, Win2k, *nix
Vendor URL:     www.macromedia.com
Author:        Matt Moore <matt () westpoint ltd uk>
Date:        28th June 2002
Advisory ID#:    wp-02-0009.txt

Overview:
=========
JRun is Macromedia's servlet / jsp engine. It installs an web based 
administration
console on TCP port 8000. Before using the console users are required to 
login via
an HTML form. This form can be bypassed, and administrative functions 
accessed
without authentication.

Details:
========
The login form is the default page served up by the server on port 8000.
By inserting an extra '/' in the URL we bypass the login form and gain
access to the web based admin console, e.g.

http://JRun-Server//

We do not have unrestricted access to the admin console - clicking on 
further links
returns you to the login page. However, by requesting the desired admin 
function
in the initial URL we bypass this restriction also, e.g:

JRun-Server:8000//welcome.jsp?&action=stop&server=default

will shutdown the 'default' JRun server instance on port 8100. Other 
administrative
functions can also be accessed.

Patch Information:
==================

Macromedia have produced a cumulative patch for JRun 3.0/3.1/4.0,
availability of which is described in the bulletin at:

http://www.macromedia.com/v1/handlers/index.cfm?ID=23164

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0009.txt