[23346] in bugtraq
Re: def-2001-32 - Allaire JRun directory browsing vulnerability
daemon@ATHENA.MIT.EDU (null null)
Fri Nov 30 17:12:49 2001
Date: 29 Nov 2001 21:26:50 -0000
Message-ID: <20011129212650.23474.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: null null <sl2sho@yahoo.com>
To: bugtraq@securityfocus.com
In-Reply-To: <PKEMKDGKMFGJMOHGPHFPAEBJCAAA.george.hedfors@defcom.com>
Here are some HTTP header dumps from different
web servers that are vulnerable to the \%3f.jsp
directory content vulnerability
HTTP/1.0 200 OK
Date: Fri, 30 Nov 2001 03:43:27 GMT
Server: Jetty/3.1.RC8 (Linux 2.2.16-22enterprise x86)
Servlet-Engine: Jetty/3.1 (JSP 1.1; Servlet 2.2; java
1.3.0)
HTTP/1.1 200 OK
Date: Fri, 30 Nov 2001 04:00:20 GMT
Server: Apache/1.3.20 (Linux/SuSE) mod_jk
Last-Modified: Thu, 01 Nov 2001 21:20:47 GMT
HTTP/1.1 302 Found
Date: Fri, 30 Nov 2001 04:03:07 GMT
Server: Apache/1.3.14 (Unix) PHP/4.0.6
ApacheJServ/1.1.2
Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1;
Servlet 2.2; Java 1.
5.8 sparc; java.vendor=Sun Microsystems Inc.)
mad love to securityfocus.com....
-slow2show-
University of Florida
>Received: (qmail 16045 invoked from network); 29
Nov 2001 23:59:04 -0000
>Received: from outgoing3.securityfocus.com
(HELO outgoing.securityfocus.com) (66.38.151.27)
> by mail.securityfocus.com with SMTP; 29 Nov
2001 23:59:04 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
> by outgoing.securityfocus.com (Postfix)
with QMQP
> id 8AADDA3397; Thu, 29 Nov 2001
11:10:59 -0700 (MST)
>Mailing-List: contact bugtraq-
help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-
help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-
unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-
subscribe@securityfocus.com>
>Delivered-To: mailing list
bugtraq@securityfocus.com
>Delivered-To: moderator for
bugtraq@securityfocus.com
>Received: (qmail 18871 invoked from network); 29
Nov 2001 11:03:11 -0000
>From: "George Hedfors"
<george.hedfors@defcom.com>
>To: "Felix Huber" <huberfelix@webtopia.de>,
> "BugTraq" <bugtraq@securityfocus.com>
>Subject: RE: def-2001-32 - Allaire JRun directory
browsing vulnerability
>Date: Thu, 29 Nov 2001 12:03:57 +0100
>Message-ID:
<PKEMKDGKMFGJMOHGPHFPAEBJCAAA.george.h
edfors@defcom.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416
(9.0.2910.0)
>X-MimeOLE: Produced By Microsoft MimeOLE
V5.50.4807.1700
>Importance: Normal
>In-Reply-To: <020401c178c4$3b322630
$0205a8c0@athlon>
>
>That Apache must be running some JRun engine,
could you find out wich?
>
>Regards, George
>
>-----Original Message-----
>From: Felix Huber [mailto:huberfelix@webtopia.de]
>Sent: den 29 november 2001 11:55
>To: George Hedfors; bugtraq@securityfocus.com
>Subject: Re: def-2001-32 - Allaire JRun directory
browsing vulnerability
>
>
>> ------------------------=[Affected Systems]=-------------
-------------
>> Under Windows NT/2000(any service pack) and
IIS 4.0/5.0:
>> - JRun 3.0 (all editions)
>> - JRun 3.1 (all editions)
>> ----------------------=[Detailed Description]=------------
------------
>> Upon sending a specially formed request to the
web server, containing
>> a '.jsp' extension makes the JRun handle the
request. Example:
>>
>> http://www.victim.com/%3f.jsp
>
>Not only IIS is affected, i found a vulnerable Site
running Apache 1.3.19 on
>Solaris.
>
>A NASL Script is attached to find affected systems.
>
>
>MfG
>Felix Huber
>
>
>-------------------------------------------------------
>Felix Huber, Security Consultant, Webtopia
>Guendlinger Str.2, 79241 Ihringen - Germany
>huberfelix@webtopia.de (07668) 951 156 (phone)
>http://www.webtopia.de (07668) 951 157 (fax)
> (01792) 205 724 (mobile)
>-------------------------------------------------------
>
>
>
>
>
