Allaire Security Bulletin (ASB00-15)- Workaround available for vu lnerabilities exposed by JRun 2.3.x code sample

[jnoller () ALLAIRE COM (Jesse Noller)]

Allaire Security Bulletin (ASB00-15)
Workaround available for vulnerabilities exposed by JRun 2.3.x code sample

Originally Posted: June 22, 2000
Last Updated: June 22, 2000

Summary

JRun 2.3.x includes a number of example applications and sample code that
expose security issues. JRun 3.0 addresses the viewsource.jsp issue. Allaire
strongly recommends that customers follow the best practice of not
installing sample code and documentation on production servers, and removing
the sample code and documentation files from production servers and
restricting access to those directories where they are installed on
workstations.

Issue

JRun 2.3.x ships with several servlet examples. They are located at the
JRUN_HOME/servlets directory. This directory is pre-configured for use by
JRun 2.3.x to load and execute servlets. The files with a .java or .class
extension in this directory must be removed because these servlets
potentially expose otherwise secure information from a production site. For
example, http://hostname/servlet/SessionServlet exposes all of the current
HttpSession ids that are maintained by the server.

Another directory that should be emptied up is the
JRUN_HOME/jsm-default/services/jws/htdocs directory. This directory contains
JSP sample files that demonstrate various functions on the server side. Some
of the samples involve accessing a server's filesystem or exposing a
server's configurations. It is absolutely necessary to remove all of these
files from any production site. For example, for viewsource.jsp path
checking is disabled by default and can be used to serve any file from the
server's filesystem to an HTTP client.

Affected Software Versions

JRun 2.3.x (all editions)
What Allaire is Doing

Allaire intends to address the known issues in the next JRun 2.3.3
maintenance release, which should be available to JRun customers in the
third quarter of this year. Until the maintenance release is available,
customers should protect themselves by removing the problematic files from
their servers.

Allaire also publishes Security Best Practices documents. A Security Best
Practices document relevant to removing sample applications and online
documentation from production web servers can be found at:

http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full

What Customers Should Do

Customers should install the 2.3.3 service pack on all of their servers when
it is available.

Furthermore, we recommend that customers remove all documentation, sample
code, examples, and tutorials from production servers. The examples that are
installed with JRun 2.3.x are installed in the JRUN_HOME/servlets directory
and the JRUN_HOME/jsm-default/services/jws/htdocs directory. All files
placed in these directories by the JRun installation should be removed. As a
general security best practice, sample code and example applications should
not be installed on production servers.

Acknowledgements

On June 20, 2000 Allaire was first notified of this issue, and on June 22,
2000, Allaire responded with this Security Bulletin.

Allaire would like to recognize Global Integrity Corporation and Quualudes
for helping to identify some of the issues related to this bulletin.

Revisions
June 22, 2000 -- Bulletin first created.

Reporting Security Issues
Allaire is committed to addressing security issues and providing customers
with the information on how they can protect themselves. If you identify
what you believe may be a security issue with an Allaire product, please
send an email to secure () allaire com. We will work to appropriately address
and communicate the issue.

Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly
affects our products or customers, we will notify customers when
appropriate. Typically this notification will be in the form of a security
bulletin explaining the issue and the response. Allaire customers who would
like to receive notification of new security bulletins when they are
released can sign up for our security notification service.

For additional information on security issues at Allaire, please visit the
Security Zone at:
http://www.allaire.com/security

THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
Allaire reserves the right, from time to time, to update the information in
this document with current information.

Jesse Noller
Enterprise/Security Engineer, Allaire Corporation
Email: jnoller () allaire com
Phone: (617) 252-5847
http://www.allaire.com/