[17319] in bugtraq

home help back first fref pref prev next nref lref last post

Allaire's JRUN Unauthenticated Access to WEB-INF directory

daemon@ATHENA.MIT.EDU (Foundstone Labs)
Tue Oct 24 02:16:44 2000

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id:  <5B8559F3126DD4119C5100B0D022A06D1F4003@mailwest>
Date:         Mon, 23 Oct 2000 11:26:33 -0700
Reply-To: Foundstone Labs <labs@FOUNDSTONE.COM>
From: Foundstone Labs <labs@FOUNDSTONE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM

                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                             Allaire's JRUN

----------------------------------------------------------------------
FS Advisory ID:         FS-102300-12-JRUN

Release Date:           October 23, 2000

Product:                JRun 3.0

Vendor:                 Allaire Inc. (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security/

Type:                   Unauthenticated Access to WEB-INF directory

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)
                        Saumil Shah (saumil.shah@foundstone.com)
                        Stuart McClure (stuart.mcclure@foundstone.com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems

Vulnerable versions:    JRun 3.0

Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13
----------------------------------------------------------------------

Description

        A severe security flaw exists with Allaire's JRun 3.0 allowing
        an attacker to access WEB-INF directories on the JRun 3.0
        server. The WEB-INF directory tree contains web application
        classes, pre-compiled JSP files, server side libraries,
        session information and files such as web.xml and
        webapp.properties.

Details

        JRun 3.0 can be made to run as a stand-alone web server on
        port 8100. The directory <jrun_install_dir>/servers/default
        holds different web applications hosted in it.

        The directory <jrun_install_dir>/servers/default/default-app
        is the web document root for the default web application. This
        application is mapped to http://site.running.jrun:8100/, if
        accesed via a web browser.

        Other web application directories are set up in a similar
        manner as follows:

           <jrun_install_dir>/servers/default/app1
           <jrun_install_dir>/servers/default/app2 ... etc.

        Their URLs would be mapped as:

           http://site.running.jrun:8100/app1,
           http://site.running.jrun:8100/app2,...

        and so on, depending on the configuration.

        Each web application directory contains a WEB-INF directory
        tree which contains configuration files, server side
        components, libraries and other application related
        information. This directory is not visible to the client. If
        the WEB-INF directory is requested by a web browser by the
        following URL:

           http://site.running.jrun:8100/WEB-INF/

        the server responds with a 403 Forbidden error code. However
        it is possible to access this directory via the following URL:

           http://site.running.jrun:8100//WEB-INF/

        This causes the entire directory tree under WEB-INF to be
        displayed and eventually files under this directory can be
        accessed. For example:

           http://site.running.jrun:8100//WEB-INF/web.xml
           http://site.running.jrun:8100//WEB-INF/webapp.properties

        would allow remote attackers to view the web.xml and
        webapp.properties in the WEB-INF directory. Attackers can also
        access critical resources such as class files, session
        information, etc.

Proof of concept

        Prefixing the path to WEB-INF by / in the URL causes the
        directory structure within WEB-INF to be displayed.

        http://site.running.jrun:8100//WEB-INF/

Solution

        Follow the recommendations given in Allaire Security Bulletin
        ASB00-27, available at: http://www.allaire.com/security/

Credits

        We would also like to thank Allaire Inc. for their prompt
        reaction to this problem and their co-operation in heightening
        security awareness in the security community.

Disclaimer

        The information contained in this advisory is the copyright (C)
        2000 of Foundstone, Inc. and believed to be accurate at the time
        of printing, but no representation or warranty is given, express
        or implied, as to its accuracy or completeness. Neither the
        author nor the publisher accepts any liability whatsoever for
        any direct, indirect or conquential loss or damage arising in
        any way from any use of, or reliance placed on, this information
        for any purpose. This advisory may be redistributed provided that
        no fee is assigned and that the advisory is not modified in any
        way.

home help back first fref pref prev next nref lref last post