[23320] in bugtraq
Re: def-2001-32 - Allaire JRun directory browsing vulnerability
daemon@ATHENA.MIT.EDU (Felix Huber)
Thu Nov 29 18:19:48 2001
Message-ID: <02b501c178ca$fceb23c0$0205a8c0@athlon>
From: "Felix Huber" <huberfelix@webtopia.de>
To: <bugtraq@securityfocus.com>
Date: Thu, 29 Nov 2001 12:42:56 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_02B2_01C178D3.5E631970"
------=_NextPart_000_02B2_01C178D3.5E631970
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
> ------------------------=[Affected Systems]=--------------------------
> Under Windows NT/2000(any service pack) and IIS 4.0/5.0:
> - JRun 3.0 (all editions)
> - JRun 3.1 (all editions)
> ----------------------=[Detailed Description]=------------------------
> Upon sending a specially formed request to the web server, containing
> a '.jsp' extension makes the JRun handle the request. Example:
>
> http://www.victim.com/%3f.jsp
Not only IIS is affected, i found vulnerable Sites running Apache
1.3.19/Solaris and Apache 1.3.12/Linux.
A NASL Script is attached to find affected systems.
Regards,
Felix Huber
-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
------=_NextPart_000_02B2_01C178D3.5E631970
Content-Type: application/octet-stream;
name="jrun_getdir.nasl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="jrun_getdir.nasl"
#=0A=
# This script was written by Felix Huber <huberfelix@webtopia.de>=0A=
#=0A=
# v. 1.00 (last update 28.11.01)=0A=
#=0A=
=0A=
if(description)=0A=
{=0A=
script_id(10814);=0A=
name["english"] =3D "Allaire JRun directory browsing vulnerability";=0A=
script_name(english:name["english"]);=0A=
=0A=
desc["english"] =3D "=0A=
Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a=0A=
problem handling malformed URLs. This allows a remote user to browse=0A=
the file system under the web root (normally \inetpub\wwwroot).=0A=
=0A=
Under Windows NT/2000(any service pack) and IIS 4.0/5.0:=0A=
- JRun 3.0 (all editions)=0A=
- JRun 3.1 (all editions)=0A=
=0A=
=0A=
Upon sending a specially formed request to the web server, containing=0A=
a '.jsp' extension makes the JRun handle the request. Example:=0A=
=0A=
http://www.victim.com/%3f.jsp=0A=
=0A=
This vulnerability allows anyone with remote access to the web server=0A=
to browse it and any directory within the web root.=0A=
=0A=
Solution:=0A=
>From Macromedia Product Security Bulletin (MPSB01-13)=0A=
http://www.allaire.com/handlers/index.cfm?ID=3D22236&Method=3DFull=0A=
=0A=
Macromedia recommends, as a best practice, turning off directory =0A=
browsing for the JRun Default Server in the following applications: =0A=
=0A=
- Default Application (the application with '/' mapping that causes=0A=
the security problem) =0A=
=0A=
- Demo Application =0A=
Also, make sure any newly created web application that uses the '/'=0A=
mapping has directory browsing off.=0A=
=0A=
The changes that need to be made in the JRun Management Console or JMC:=0A=
=0A=
- JRun Default Server/Web Applications/Default User Application/File=0A=
Settings/Directory Browsing Allowed set to FALSE. =0A=
- JRun Default Server/Web Applications/JRun Demo/File Settings/=0A=
Directory Browsing Allowed set to FALSE. =0A=
=0A=
Restart the servers after making the changes and the %3f.jsp request=0A=
should now return a 403 forbidden. When this bug is fixed, the request=0A=
(regardless of directory browsing setting) should return a '404 page=0A=
not found'. =0A=
=0A=
The directory browsing property is called [file.browsedirs]. Changing=0A=
the property via the JMC will cause the following changes:=0A=
JRun 3.0 will write [file.browsedirs=3Dfalse] in the local.properties=0A=
file. (server-wide change)=0A=
JRun 3.1 will write [file.browsedirs=3Dfalse] in the webapp.properties=0A=
of the application. =0A=
=0A=
=0A=
Risk factor : Medium";=0A=
=0A=
=0A=
script_description(english:desc["english"]);=0A=
=0A=
summary["english"] =3D "Allaire JRun directory browsing vulnerability";=0A=
=0A=
script_summary(english:summary["english"]);=0A=
=0A=
script_category(ACT_GATHER_INFO);=0A=
=0A=
=0A=
script_copyright(english:"This script is Copyright (C) 2001 Felix =
Huber");=0A=
family["english"] =3D "CGI abuses";=0A=
script_family(english:family["english"]);=0A=
script_dependencie("find_service.nes", "no404.nasl");=0A=
script_require_ports("Services/www", 80);=0A=
exit(0);=0A=
}=0A=
=0A=
#=0A=
# The script code starts here=0A=
#=0A=
=0A=
port =3D get_kb_item("Services/www");=0A=
if(!port)port =3D 80;=0A=
if(get_port_state(port))=0A=
{=0A=
req =3D http_get(item:"/%3f.jsp", port:port);=0A=
soc =3D open_sock_tcp(port);=0A=
if(soc)=0A=
{=0A=
send(socket:soc, data:req);=0A=
r =3D recv(socket:soc, length:4096);=0A=
close(soc);=0A=
if(("Index of /" >< r)||=0A=
("Directory Listing" >< r)){=0A=
security_hole(port);=0A=
exit(0);=0A=
}=0A=
=0A=
}=0A=
}=0A=
------=_NextPart_000_02B2_01C178D3.5E631970--
