[25997] in bugtraq
wp-02-0009: Macromedia JRun Admin Server Authentication Bypass
daemon@ATHENA.MIT.EDU (Matt Moore)
Fri Jun 28 17:10:40 2002
Message-ID: <3D1C82A0.7030602@westpoint.ltd.uk>
Date: Fri, 28 Jun 2002 16:37:04 +0100
From: Matt Moore <matt@westpoint.ltd.uk>
MIME-Version: 1.0
To: bugtraq <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Westpoint Security Advisory
Title: Macromedia JRun Admin Server Authentication Bypass
Risk Rating: Medium
Software: Macromedia JRun
Platforms: WinNT, Win2k, *nix
Vendor URL: www.macromedia.com
Author: Matt Moore <matt@westpoint.ltd.uk>
Date: 28th June 2002
Advisory ID#: wp-02-0009.txt
Overview:
=========
JRun is Macromedia's servlet / jsp engine. It installs an web based
administration
console on TCP port 8000. Before using the console users are required to
login via
an HTML form. This form can be bypassed, and administrative functions
accessed
without authentication.
Details:
========
The login form is the default page served up by the server on port 8000.
By inserting an extra '/' in the URL we bypass the login form and gain
access to the web based admin console, e.g.
http://JRun-Server//
We do not have unrestricted access to the admin console - clicking on
further links
returns you to the login page. However, by requesting the desired admin
function
in the initial URL we bypass this restriction also, e.g:
JRun-Server:8000//welcome.jsp?&action=stop&server=default
will shutdown the 'default' JRun server instance on port 8100. Other
administrative
functions can also be accessed.
Patch Information:
==================
Macromedia have produced a cumulative patch for JRun 3.0/3.1/4.0,
availability of which is described in the bulletin at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23164
This advisory is available online at:
http://www.westpoint.ltd.uk/advisories/wp-02-0009.txt
