Re: def-2001-32 - Allaire JRun directory browsing vulnerability

[null null <sl2sho () yahoo com>]

In-Reply-To: <PKEMKDGKMFGJMOHGPHFPAEBJCAAA.george.hedfors () defcom com>

Here are some HTTP header dumps from different 
web servers that are vulnerable to the \%3f.jsp 
directory content vulnerability

HTTP/1.0 200 OK
Date: Fri, 30 Nov 2001 03:43:27 GMT
Server: Jetty/3.1.RC8 (Linux 2.2.16-22enterprise x86)
Servlet-Engine: Jetty/3.1 (JSP 1.1; Servlet 2.2; java 
1.3.0)


HTTP/1.1 200 OK
Date: Fri, 30 Nov 2001 04:00:20 GMT
Server: Apache/1.3.20 (Linux/SuSE) mod_jk
Last-Modified: Thu, 01 Nov 2001 21:20:47 GMT

HTTP/1.1 302 Found
Date: Fri, 30 Nov 2001 04:03:07 GMT
Server: Apache/1.3.14 (Unix) PHP/4.0.6 
ApacheJServ/1.1.2
Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1; 
Servlet 2.2; Java 1.
 5.8 sparc; java.vendor=Sun Microsystems Inc.)

mad love to securityfocus.com....

-slow2show-
University of Florida

> Received: (qmail 16045 invoked from network); 29 
Nov 2001 23:59:04 -0000
> Received: from outgoing3.securityfocus.com 
(HELO outgoing.securityfocus.com) (66.38.151.27)
>  by mail.securityfocus.com with SMTP; 29 Nov 
2001 23:59:04 -0000
> Received: from lists.securityfocus.com 
(lists.securityfocus.com [66.38.151.19])
>       by outgoing.securityfocus.com (Postfix) 
with QMQP
>       id 8AADDA3397; Thu, 29 Nov 2001 
11:10:59 -0700 (MST)
> Mailing-List: contact bugtraq-
help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-
help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-
unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-
subscribe () securityfocus com>
> Delivered-To: mailing list 
bugtraq () securityfocus com
> Delivered-To: moderator for 
bugtraq () securityfocus com
> Received: (qmail 18871 invoked from network); 29 
Nov 2001 11:03:11 -0000
> From: "George Hedfors" 
<george.hedfors () defcom com>
> To: "Felix Huber" <huberfelix () webtopia de>,
>       "BugTraq" <bugtraq () securityfocus com>
> Subject: RE: def-2001-32 - Allaire JRun directory 
browsing vulnerability
> Date: Thu, 29 Nov 2001 12:03:57 +0100
> Message-ID: 
<PKEMKDGKMFGJMOHGPHFPAEBJCAAA.george.h
edfors () defcom com>
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 
(9.0.2910.0)
> X-MimeOLE: Produced By Microsoft MimeOLE 
V5.50.4807.1700
> Importance: Normal
> In-Reply-To: <020401c178c4$3b322630
$0205a8c0@athlon>
> That Apache must be running some JRun engine, 
could you find out wich?
> Regards, George
>
> -----Original Message-----
> From: Felix Huber [mailto:huberfelix () webtopia de]
> Sent: den 29 november 2001 11:55
> To: George Hedfors; bugtraq () securityfocus com
> Subject: Re: def-2001-32 - Allaire JRun directory 
browsing vulnerability
> > ------------------------=[Affected Systems]=-------------
-------------
> > Under Windows NT/2000(any service pack) and 
IIS 4.0/5.0:
> > - JRun 3.0 (all editions)
> > - JRun 3.1 (all editions)
> > ----------------------=[Detailed Description]=------------
------------
> > Upon sending a specially formed request to the 
web server, containing
> > a '.jsp' extension makes the JRun handle the 
request. Example:
> > http://www.victim.com/%3f.jsp
>
> Not only IIS is affected, i found a vulnerable Site 
running Apache 1.3.19 on
> Solaris.
>
> A NASL Script is attached to find affected systems.
>
>
> MfG
> Felix Huber
>
>
> -------------------------------------------------------
> Felix Huber, Security Consultant, Webtopia
> Guendlinger Str.2, 79241 Ihringen - Germany
> huberfelix () webtopia de     (07668)  951 156 (phone)
> http://www.webtopia.de     (07668)  951 157 (fax)
>                                         (01792)  205 724 (mobile)
> -------------------------------------------------------