Bugtraq mailing list archives
Allaire's JRUN Unauthenticated Access to WEB-INF directory
From: Foundstone Labs <labs () FOUNDSTONE COM>
Date: Mon, 23 Oct 2000 11:26:33 -0700
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Allaire's JRUN
----------------------------------------------------------------------
FS Advisory ID: FS-102300-12-JRUN
Release Date: October 23, 2000
Product: JRun 3.0
Vendor: Allaire Inc. (http://www.allaire.com)
Vendor Advisory: http://www.allaire.com/security/
Type: Unauthenticated Access to WEB-INF directory
Severity: High
Author: Shreeraj Shah (shreeraj.shah () foundstone com)
Saumil Shah (saumil.shah () foundstone com)
Stuart McClure (stuart.mcclure () foundstone com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All operating systems
Vulnerable versions: JRun 3.0
Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13
----------------------------------------------------------------------
Description
A severe security flaw exists with Allaire's JRun 3.0 allowing
an attacker to access WEB-INF directories on the JRun 3.0
server. The WEB-INF directory tree contains web application
classes, pre-compiled JSP files, server side libraries,
session information and files such as web.xml and
webapp.properties.
Details
JRun 3.0 can be made to run as a stand-alone web server on
port 8100. The directory <jrun_install_dir>/servers/default
holds different web applications hosted in it.
The directory <jrun_install_dir>/servers/default/default-app
is the web document root for the default web application. This
application is mapped to http://site.running.jrun:8100/, if
accesed via a web browser.
Other web application directories are set up in a similar
manner as follows:
<jrun_install_dir>/servers/default/app1
<jrun_install_dir>/servers/default/app2 ... etc.
Their URLs would be mapped as:
http://site.running.jrun:8100/app1,
http://site.running.jrun:8100/app2,...
and so on, depending on the configuration.
Each web application directory contains a WEB-INF directory
tree which contains configuration files, server side
components, libraries and other application related
information. This directory is not visible to the client. If
the WEB-INF directory is requested by a web browser by the
following URL:
http://site.running.jrun:8100/WEB-INF/
the server responds with a 403 Forbidden error code. However
it is possible to access this directory via the following URL:
http://site.running.jrun:8100//WEB-INF/
This causes the entire directory tree under WEB-INF to be
displayed and eventually files under this directory can be
accessed. For example:
http://site.running.jrun:8100//WEB-INF/web.xml
http://site.running.jrun:8100//WEB-INF/webapp.properties
would allow remote attackers to view the web.xml and
webapp.properties in the WEB-INF directory. Attackers can also
access critical resources such as class files, session
information, etc.
Proof of concept
Prefixing the path to WEB-INF by / in the URL causes the
directory structure within WEB-INF to be displayed.
http://site.running.jrun:8100//WEB-INF/
Solution
Follow the recommendations given in Allaire Security Bulletin
ASB00-27, available at: http://www.allaire.com/security/
Credits
We would also like to thank Allaire Inc. for their prompt
reaction to this problem and their co-operation in heightening
security awareness in the security community.
Disclaimer
The information contained in this advisory is the copyright (C)
2000 of Foundstone, Inc. and believed to be accurate at the time
of printing, but no representation or warranty is given, express
or implied, as to its accuracy or completeness. Neither the
author nor the publisher accepts any liability whatsoever for
any direct, indirect or conquential loss or damage arising in
any way from any use of, or reliance placed on, this information
for any purpose. This advisory may be redistributed provided that
no fee is assigned and that the advisory is not modified in any
way.
Current thread:
- Allaire's JRUN Unauthenticated Access to WEB-INF directory Foundstone Labs (Oct 24)