Bugtraq mailing list archives
Re: Allaire Security Bulletin (ASB01-02) JRun 3.0
From: Change Ling <change () HACKTOSECURE COM>
Date: Thu, 25 Jan 2001 13:23:54 -0800
I have been looking at this particular Jrun issue myself for the last several weeks since I've had to work on some Jrun deployed application servers. What I have noticed is that Jrun application directory contents are only vulnerable to remote viewing of unauthorized files (java byte-code, jsp files, etc...) when allowing the integrated Jrun web listener to act as the primary web listener. For a proper production quality deployment, TURN OFF the Jrun web listener and utilize any other web server supported by Jrun with the Jrun connector(I have only deployed Jrun with iPlanet and apache). Any deployments like this should not be immediately vulnerable to this particular problem. The Jrun java connector integrated into your web listener of choice would proxy application requests to the Jrun VM. Of course you shouldn't set your web server of choice's root directory at Jrun's WEB-INF dir either. There is a list of web servers that Jrun supports for this connector mechanism, but among those, and for many reasons I would only choose apache or iPlanet. (is this m$ bashing?) In every case I've ever examined a vendor supplied web listener, found it to be a better choice for security policy, AND performance to opt for a supported third party web server to act as the interface to the net. I would strongly urge anyone deploying application servers who still use any default web listener to rethink that strategy.
Allaire posted the following security bulletin to their site recently. The online version can be found at: http://www.allaire.com/handlers/index.cfm?ID=19546&Method=Full ------------------------------------ Allaire Security Bulletin (ASB01-02) JRun 3.0: Patch available for JRun malformed URI WEB-INF directory information and web.xml file retrieval issue Originally Posted: January 24, 2001 Last Updated: January 24, 2001 Summary It is possible to get a directory listing of the WEB-INF directory when requesting pages from a JRun Web Server. It is also possible to display the contents of the web.xml file in WEB-INF. Issue Under certain circumstances, submitting a malformed URI to JRun 3.0 will return the web.xml file or a directory listing of the WEB-INF directory on the server. For example, a URL like: http://jrun_server:8000/./WEB-INF/ can reveal a directory listing of the WEB-INF directory on the server, 'jrun_server'. Also, a URL like: http://jrun_server:8000/./WEB-INF/web.xml can retrieve the 'web.xml' file in the 'WEB-INF' directory. Affected Software Versions JRun 3.0 (all editions) What Allaire is Doing Allaire has published this bulletin, notifying customers of the problem. Allaire has also released a patch that should resolve the issue in JRun 3.0. The patch is included in Service Pack 2 for JRun 3.0. JRun 3.0 users can find the patch for installation at the following URIs -- use the patch appropriate to your platform -- instructions for installation are included: Windows 95/98/NT/2000 and Windows NT Alpha: http://download.allaire.com/jrun/jrun3.0/jr30sp2.exe UNIX/Linux patch - GNU gzip/tar: http://download.allaire.com/jrun/jrun3.0/jr30sp2u.sh It is recommended you back up your existing data before applying any patch. What Customers Should Do Customers should download and install Service Pack 2. Please note: As always, customers should test patch changes in a testing environment before modifying production servers. Acknowledgements Allaire would like to recognize Vanja Hrustic of The Relay Group helping to identify some of the issues related to this bulletin. Revisions January 24, 2001 -- Bulletin first created. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure () allaire com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: http://www.allaire.com/security. THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Allaire reserves the right, from time to time, to update the information in this document with current information. ------------------------------------------
Current thread:
- Allaire Security Bulletin (ASB01-02) JRun 3.0 Ben Greenbaum (Jan 25)
- Re: Allaire Security Bulletin (ASB01-02) JRun 3.0 Change Ling (Jan 26)