COMMAND

	JRun SSI JSP

SYSTEMS AFFECTED

	JRun Java application server from Allaire. All  current  versions  (with
	latest security  patches  as  of  November  2001)  are  believed  to  be
	affected, including 2.3.3, 3.0, and 3.1

PROBLEM

	In                           Netcraft                           Advisory
	[http://www.netcraft.com/security/public-advisories/2001-11.1.html] :
	

	When a request for an SSI page is submitted to the server, and the  page
	does not exist, the SSI handler \"falls back\" on the body of  the  HTTP
	request itself. Usually an HTTP request does not contain a body,  but  a
	malicious user can easily construct a request  with  a  body  containing
	SSI commands. These can be used to include the source to other files  on
	the server. For example, a request such as:
	

	

	 

	GET /nosuch.shtml HTTP/1.0

	Content Length: 38

	

	

	would  return  the  source  of  the  index.jsp  page  (subject  to   SSI
	processing - so servlet tags may be replaced, but most JSP source  would
	be passed through unmodified). It  should  be  noted  that  the  include
	directive does not go through the usual URL  processing  -  for  example
	includes of .jsp files are not  done  by  the  JSP  handler,  hence  the
	source code to .jsp\'s can be obtained.  It  also  bypasses  any  access
	controls enforced by the web server (so files in  protected  directories
	such as the /WEB-INF/ directory can be accessed). However,  it  was  not
	possible to access files outside of the  web  root  in  the  cases  that
	Netcraft tested.
	

	Netcraft also verified that it was possible to execute Java servlets  on
	the server using this vulnerability. As it is  common  to  expose  these
	via the /servlet/ URL mapping, this does not give the attacker  any  new
	advantage in the normal setup but  could  be  considered  a  problem  by
	sites that have disabled the /servlet/ mapping.
	

	Also, George Hedfors in DefCom  labs  [http://labs.defcom.com]  advisory
	[def-2001-32] says :
	

	Upon sending a specially formed request to the web server, containing  a
	\'.jsp\' extension makes the JRun handle the request. Example:
	 

	http://www.victim.com/%3f.jsp

	

	This vulnerability allows anyone with remote access to  the  web  server
	to browse it and any directory within the web root.
	

	David Walker explained :
	

	The web server converts \"/%3f.jsp\" to \"/?.jsp\". Since the  character
	is encoded it is assumed to be a legitimate part of the  filename.  Then
	the URL \"/?.jsp\" is passed to JRun which sees  it  as  a  request  for
	\"/\" with a query string of \".jsp\".
	

	This type of bug could be used to produce other unexpected  behavior.  A
	request for \"/myfile.htm%3f.jsp\" could possibly  result  in  the  JRun
	serving /myfile.htm rather than the web server.

SOLUTION

	A patch is expected to be included in the next rollup  patch  for  JRun.
	In  the  meantime  they   have   released   a   security   bulletin   at
	http://www.allaire.com/handlers/index.cfm?ID=22235&Method=Full    to
	notify customers of this problem, and advise a workaround  by  disabling
	SSI.
	

	As a workaround, sites using JRun can disable the  SSI  support  on  the
	web server, as this is not  required  for  any  other  features  of  the
	server including Java Server Pages, so few sites actually  require  this
	functionality.  This  involves  both  disabling  the  .shtml   extension
	mapping to SSI handling,  and  the  /servlet/  method  of  invoking  the
	servlet which does SSI processing (the latter  can  be  done  by  either
	disabling the /servlet/ mapping if  it  is  not  used,  or  by  blocking
	access to the particular servlet affected  -  allaire.jrun.ssi.SSIFilter
	for  JRun  3.x,  com.livesoftware.jrun.plugins.ssi.SSIFilter   on   JRun
	2.3.x).
	

	 Update

	 ======

	

	Macromedia has released the following regarding all current  JRun  vulns
	:
	

	SECURITY BULLETINS:
	

	   *  MBSB01-13: Workaround Addresses IIS 4/5 Web Server Root 

	        Directory Browse Access 

	

	   *  MPSB01-14: Patch Available for Serving JSP 

	        Pages out of the WEB-INF and META-INF Directories.

	

	   *  MBSB01-15: Patch Available for revealing Source 

	        Code when Accessing a JSP as myjsp%00 or myjs%2570 

	        via the JWS or IIS

	

	   *  MPSB01-16: Patch Available for Retrieval of File 

	        Content with an HTTP GET under Certain Conditions

	

	   *  MPSB01-17: Patch Available for File System Traversal 

	        Issue with JRun Web Server on Windows platforms

	

	   *  MPSB01-18: Patch Available for Unnecessary Appending 

	        of jsessionid in URL (URL Rewriting)

	

	SECURITY BULLETINS:
	

	   *  MPSB01-09: JRun 3.1, JRun 3.0 ::$DATA Vulnerability 

	        (a.k.a. JSP view source vulnerability)

	

	   *  MPSB01-10: Patch Available for Duplicate Session IDs Issue