KPMG-2002026: Jrun sourcecode Disclosure

[Peter Gründl <pgrundl () kpmg dk>]

--------------------------------------------------------------------

Title: Jrun sourcecode Disclosure

BUG-ID: 2002026
Released: 01st Jul 2002
--------------------------------------------------------------------

Problem:
========
It is possible for a malicious user to trick the Jrun webserver into
disclosing sourcecode.


Vulnerable:
===========
- Jrun 4.0 on Windows 2000 Server

Other versions were not tested!


Details:
========
There are several strings that can be attacked to a legitimate
request to fool the webserver into serving up the unparsed .jsp file
The problem is with the handling of null characters in the request
string and one way to trigger it is to append a unicoded null to
the valid request string.


Vendor URL:
===========
You can visit the vendor webpage here: http://www.macromedia.com


Vendor Response:
================
This was reported to the vendor on the 17th of May, 2002. On the
27th of June, 2002, the vendor released a cumulative patch for
Jrun that includes the patch for this issue.


Corrective action:
==================
Read the vendors advisory to determine which patch you need:

http://www.macromedia.com/v1/handlers/index.cfm?ID=23164



Author: Peter Gründl (pgrundl () kpmg dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------