Bugtraq mailing list archives
Allaire's JRUN Unauthenticated Access to WEB-INF directory
From: Foundstone Labs <labs () FOUNDSTONE COM>
Date: Mon, 23 Oct 2000 11:26:33 -0700
Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Allaire's JRUN ---------------------------------------------------------------------- FS Advisory ID: FS-102300-12-JRUN Release Date: October 23, 2000 Product: JRun 3.0 Vendor: Allaire Inc. (http://www.allaire.com) Vendor Advisory: http://www.allaire.com/security/ Type: Unauthenticated Access to WEB-INF directory Severity: High Author: Shreeraj Shah (shreeraj.shah () foundstone com) Saumil Shah (saumil.shah () foundstone com) Stuart McClure (stuart.mcclure () foundstone com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems Vulnerable versions: JRun 3.0 Foundstone Advisory: http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13 ---------------------------------------------------------------------- Description A severe security flaw exists with Allaire's JRun 3.0 allowing an attacker to access WEB-INF directories on the JRun 3.0 server. The WEB-INF directory tree contains web application classes, pre-compiled JSP files, server side libraries, session information and files such as web.xml and webapp.properties. Details JRun 3.0 can be made to run as a stand-alone web server on port 8100. The directory <jrun_install_dir>/servers/default holds different web applications hosted in it. The directory <jrun_install_dir>/servers/default/default-app is the web document root for the default web application. This application is mapped to http://site.running.jrun:8100/, if accesed via a web browser. Other web application directories are set up in a similar manner as follows: <jrun_install_dir>/servers/default/app1 <jrun_install_dir>/servers/default/app2 ... etc. Their URLs would be mapped as: http://site.running.jrun:8100/app1, http://site.running.jrun:8100/app2,... and so on, depending on the configuration. Each web application directory contains a WEB-INF directory tree which contains configuration files, server side components, libraries and other application related information. This directory is not visible to the client. If the WEB-INF directory is requested by a web browser by the following URL: http://site.running.jrun:8100/WEB-INF/ the server responds with a 403 Forbidden error code. However it is possible to access this directory via the following URL: http://site.running.jrun:8100//WEB-INF/ This causes the entire directory tree under WEB-INF to be displayed and eventually files under this directory can be accessed. For example: http://site.running.jrun:8100//WEB-INF/web.xml http://site.running.jrun:8100//WEB-INF/webapp.properties would allow remote attackers to view the web.xml and webapp.properties in the WEB-INF directory. Attackers can also access critical resources such as class files, session information, etc. Proof of concept Prefixing the path to WEB-INF by / in the URL causes the directory structure within WEB-INF to be displayed. http://site.running.jrun:8100//WEB-INF/ Solution Follow the recommendations given in Allaire Security Bulletin ASB00-27, available at: http://www.allaire.com/security/ Credits We would also like to thank Allaire Inc. for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.
Current thread:
- Allaire's JRUN Unauthenticated Access to WEB-INF directory Foundstone Labs (Oct 24)