Allaire Security Bulletin (ASB01-02) JRun 3.0

[Ben Greenbaum <bgreenbaum () SECURITYFOCUS COM>]

Allaire posted the following security bulletin to their site recently. The
online version can be found at:
http://www.allaire.com/handlers/index.cfm?ID=19546&Method=Full

------------------------------------

Allaire Security Bulletin (ASB01-02)

JRun 3.0: Patch available for JRun malformed URI WEB-INF directory
information and web.xml file retrieval issue

Originally Posted: January 24, 2001
Last Updated: January 24, 2001

Summary
It is possible to get a directory listing of the WEB-INF directory when
requesting pages from a JRun Web Server. It is also possible to display
the contents of the web.xml file in WEB-INF.
Issue

Under certain circumstances, submitting a malformed URI to JRun 3.0 will
return the web.xml file or a directory listing of the WEB-INF directory on
the server.

For example, a URL like:

    http://jrun_server:8000/./WEB-INF/

can reveal a directory listing of the WEB-INF directory on the server,
'jrun_server'.

Also, a URL like:

    http://jrun_server:8000/./WEB-INF/web.xml

can retrieve the 'web.xml' file in the 'WEB-INF' directory.
Affected Software Versions
JRun 3.0 (all editions)
What Allaire is Doing

Allaire has published this bulletin, notifying customers of the problem.
Allaire has also released a patch that should resolve the issue in JRun
3.0. The patch is included in Service Pack 2 for JRun 3.0.

JRun 3.0 users can find the patch for installation at the following URIs
-- use the patch appropriate to your platform -- instructions for
installation are included:

Windows 95/98/NT/2000 and Windows NT Alpha:
http://download.allaire.com/jrun/jrun3.0/jr30sp2.exe

UNIX/Linux patch - GNU gzip/tar:
http://download.allaire.com/jrun/jrun3.0/jr30sp2u.sh

It is recommended you back up your existing data before applying any
patch.

What Customers Should Do
Customers should download and install Service Pack 2.

Please note: As always, customers should test patch changes in a testing
environment before modifying production servers.

Acknowledgements
Allaire would like to recognize Vanja Hrustic of The Relay Group helping
to identify some of the issues related to this bulletin.
Revisions
January 24, 2001 -- Bulletin first created.

Reporting Security Issues
Allaire is committed to addressing security issues and providing customers
with the information on how they can protect themselves. If you identify
what you believe may be a security issue with an Allaire product, please
send an email to secure () allaire com. We will work to appropriately address
and communicate the issue.

Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe
significantly affects our products or customers, we will notify customers
when appropriate. Typically this notification will be in the form of a
security bulletin explaining the issue and the response. Allaire customers
who would like to receive notification of new security bulletins when they
are released can sign up for our security notification service.

For additional information on security issues at Allaire, please visit the
Security Zone at:
http://www.allaire.com/security.

THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR
ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

Allaire reserves the right, from time to time, to update the information
in this document with current information.
------------------------------------------