JRun Vulnerabilities

Impact

Several vulnerabilities in JRun server could allow an intruder to view arbitrary files or execute arbitrary code on the server.

Background

JRun is a Java application server which comes with an HTTP server. It runs on both Unix and Windows NT systems.

The Problem

There are several vulnerabilities in the JRun HTTP server.

The first vulnerability could allow an attacker to view arbitrary files or directories that are supposed to be hidden, such as the WEB-INF directory. This is accomplished by sending a malformed request which includes an extraneous slash character before the directory name. JRun 3.0 and 3.0 SP1 are vulnerable to this attack.

The second vulnerability could allow an attacker to view arbitrary files. By making a request to the SSIFilter servlet including the "../" string, it is possible to escape from the web root and view any file on the system. JRun 2.3.3 is affected by this vulnerability.

A third vulnerability could allow an attacker to execute arbitrary commands on the server. In order to exploit this vulnerability, there would need to be an application on the server which writes user input to a file on the server. The attacker would need to be able to guess the location of that file. By putting JSP commands in the input to the application, and then executing the resulting file as a JSP page using the JSP servlet, arbitrary code could be executed on the server. JRun 2.3.3 is affected by this vulnerability.

Resolution

Apply the patches referenced in Allaire Security Bulletins 00-27, 00-28, and 00-29, which can be found in the Allaire Security Zone.

Where can I read more about this?

For more information on these and other vulnerabilities in Allaire products, go to the Allaire Security Zone.