COMMAND

	Macromedia JRun Admin Server Authentication Bypass

SYSTEMS AFFECTED

	Macromedia JRun 3.0/3.1/4.0

PROBLEM

	In    Matt    Moore    of    Westpoint    Ltd.     security     advisory
	[http://www.westpoint.ltd.uk/advisories/wp-02-0009.txt] :
	

	JRun is Macromedia\'s servlet / jsp engine. It  installs  an  web  based
	administration console on TCP port 8000. Before using the console  users
	are required to login via an HTML form. This form can be  bypassed,  and
	administrative functions accessed without authentication.
	

	The login form is the default page served  up  by  the  server  on  port
	8000. By inserting an extra \'/\' in the URL we bypass  the  login  form
	and gain access to the web based admin console, e.g.
	

	http://JRun-Server//

	

	We do not have unrestricted access to the admin console  -  clicking  on
	further links returns you to the login page. However, by requesting  the
	desired admin function in the initial URL  we  bypass  this  restriction
	also, e.g:
	

	JRun-Server:8000//welcome.jsp?&action=stop&server=default

	

	will shutdown the \'default\' JRun server instance on port  8100.  Other
	administrative functions can also be accessed.

SOLUTION

	Macromedia have  produced  a  cumulative  patch  for  JRun  3.0/3.1/4.0,
	availability of which is described in the bulletin at:
	

	http://www.macromedia.com/v1/handlers/index.cfm?ID=23164