|
|
|
|
| |
"Macromedia JRun 4 is an application server used for developing and deploying Java applications. JRun 4 provides the speed and reliability required to deploy and manage your standards-based Internet applications. Loaded with features for accelerated deployment and powerful scalability, JRun 4 is an elegantly architected, web-services enabled approachable platform with full Java 2 Enterprise Edition (J2EE) compatibility. "
A session fixation vulnerability exists in JRun Management Console, enabling attackers to hijack administrative sessions.
An HTML injection vulnerability exists in JRun 4 Management Console, allowing the attacker to acquire the session ID of a management session and subsequently enter that session without administrator noticing it. |
| |
Credit:
The information has been provided by ACROS Security.
The original article can be found at: http://www.acrossecurity.com/aspr/ASPR-2004-10-14-2-PUB.txt
and: http://www.acrossecurity.com/aspr/ASPR-2004-10-14-1-PUB.txt
|
| |
Vulnerable Systems:
* JRun 4 for Windows, Service Pack 1a. Other versions may also be affected.
Session Fixation Vulnerability:
JRun employs so-called "session cookies" for HTTP session maintenance. After administrator's login to Management Console, JRun server generates a unique
session identifier (session ID) and sends it to administrator's browser as a cookie named JSESSIONID. This session ID effectively becomes a static password for the session, meaning that until the session times out or is closed by the logged in administrator (by logging off), any browser with access to port 8000 of JRun server and knowledge of the session ID will have access to this session, and thereby access to administration of JRun application servers.
Management console login process is vulnerable to session fixation vulnerability, allowing an attacker to fix administrator's JSESSIONID cookie in advance and wait for him to log in to management console, thereby providing the attacker with access to the console as well.
HTML Injection Vulnerability:
Cross site scripting is a very common problem with web-based applications. Basically it is present whenever the server is willing to include user's input data, which contains some client-side script (e.g. JavaScript), back to the browser unsanitized, somewhere within the generated web page. This script, when executed, has access to all information within and about the received web page, including the cookies. JRun employs so-called "session cookies" for HTTP session maintenance. After administrator's login to Management Console, JRun server generates a unique session identifier (session ID) and sends it to administrator's browser
as a cookie named JSESSIONID. This session ID effectively becomes a static password for the session, meaning that until the session times out or is closed by the logged in administrator (by logging off), any browser with access to port 8000 of JRun server and knowledge of the session ID will have access to this session, and thereby access to administration of JRun application servers.
Mitigating Factors:
Attacker must lure the JRun administrator into visiting a hostile web site while the administrator has an authenticated session with the JRun Management Console.
Solution:
Macromedia has issued a security bulletin and published JRun4 Updater 4, which fixes this issue. Affected users can download the updater from: http://www.macromedia.com/support/jrun/updaters.html
Workarounds:
* Don't allow potential attackers access to port 8000 of JRun server.
* Always close all browser instances/windows and delete all cookies before logging in to JRun Management Console.
* Don't browse around or read HTML e-mail while administering JRun server.
|
|
|
|
|
|
|
|
|
|
