Bugtraq mailing list archives
Allaire Security Bulletin (ASB00-15)- Workaround available for vu lnerabilities exposed by JRun 2.3.x code sample
From: jnoller () ALLAIRE COM (Jesse Noller)
Date: Thu, 22 Jun 2000 16:14:24 -0400
Allaire Security Bulletin (ASB00-15) Workaround available for vulnerabilities exposed by JRun 2.3.x code sample Originally Posted: June 22, 2000 Last Updated: June 22, 2000 Summary JRun 2.3.x includes a number of example applications and sample code that expose security issues. JRun 3.0 addresses the viewsource.jsp issue. Allaire strongly recommends that customers follow the best practice of not installing sample code and documentation on production servers, and removing the sample code and documentation files from production servers and restricting access to those directories where they are installed on workstations. Issue JRun 2.3.x ships with several servlet examples. They are located at the JRUN_HOME/servlets directory. This directory is pre-configured for use by JRun 2.3.x to load and execute servlets. The files with a .java or .class extension in this directory must be removed because these servlets potentially expose otherwise secure information from a production site. For example, http://hostname/servlet/SessionServlet exposes all of the current HttpSession ids that are maintained by the server. Another directory that should be emptied up is the JRUN_HOME/jsm-default/services/jws/htdocs directory. This directory contains JSP sample files that demonstrate various functions on the server side. Some of the samples involve accessing a server's filesystem or exposing a server's configurations. It is absolutely necessary to remove all of these files from any production site. For example, for viewsource.jsp path checking is disabled by default and can be used to serve any file from the server's filesystem to an HTTP client. Affected Software Versions JRun 2.3.x (all editions) What Allaire is Doing Allaire intends to address the known issues in the next JRun 2.3.3 maintenance release, which should be available to JRun customers in the third quarter of this year. Until the maintenance release is available, customers should protect themselves by removing the problematic files from their servers. Allaire also publishes Security Best Practices documents. A Security Best Practices document relevant to removing sample applications and online documentation from production web servers can be found at: http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full What Customers Should Do Customers should install the 2.3.3 service pack on all of their servers when it is available. Furthermore, we recommend that customers remove all documentation, sample code, examples, and tutorials from production servers. The examples that are installed with JRun 2.3.x are installed in the JRUN_HOME/servlets directory and the JRUN_HOME/jsm-default/services/jws/htdocs directory. All files placed in these directories by the JRun installation should be removed. As a general security best practice, sample code and example applications should not be installed on production servers. Acknowledgements On June 20, 2000 Allaire was first notified of this issue, and on June 22, 2000, Allaire responded with this Security Bulletin. Allaire would like to recognize Global Integrity Corporation and Quualudes for helping to identify some of the issues related to this bulletin. Revisions June 22, 2000 -- Bulletin first created. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure () allaire com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Allaire reserves the right, from time to time, to update the information in this document with current information. Jesse Noller Enterprise/Security Engineer, Allaire Corporation Email: jnoller () allaire com Phone: (617) 252-5847 http://www.allaire.com/
Current thread:
- Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2, (continued)
- Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Mike DeMaria (Jun 21)
- Re: NAI WebShield SMTP does not scan base64 encoding Sato, Ken (Jun 20)
- Microsoft Security Bulletin MS00-038 Update Microsoft Product Security (Jun 20)
- rh 6.2 - gid compromises, etc Michal Zalewski (Jun 21)
- Immunix OS 6.2 (StackGuarded Red Hat 6.2) Crispin Cowan (Jun 21)
- Warning regarding new kernel RPMs Joseph V Moss (Jun 21)
- Re: Warning regarding new kernel RPMs Dave Walter (Jun 22)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Stan Bubrouski (Jun 21)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Wietse Venema (Jun 23)
- Re: rh 6.2 - gid compromises, etc Stan Bubrouski (Jun 22)
- Allaire Security Bulletin (ASB00-15)- Workaround available for vu lnerabilities exposed by JRun 2.3.x code sample Jesse Noller (Jun 22)
- [RHSA-2000:038-01] Zope update bugzilla () REDHAT COM (Jun 22)
- FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options FreeBSD Security Advisories (Jun 22)
- Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options yeti (Jan 13)
- Re: rh 6.2 - gid compromises, etc Stan Bubrouski (Jun 22)
- [SECURITY] New Debian wu-ftpd packages released Daniel Jacobowitz (Jun 23)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Joey Maier (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Jim Knoble (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Andrea Costantino (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Kenn Humborg (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Philip Rowlands (Jun 29)