|
|
|
|
| |
| Under certain circumstances, it is possible to insert executable code in the form of JSP tags and cause the code to be compiled and executed using JRun's handlers. |
| |
Credit:
The information has been provided by Allaire Secure.
|
| |
Affected Software versions:
JRun 2.3.3 (all editions)
By submitting deliberately malformed input to an improperly secured application running on JRun 2.3.3 attackers can execute arbitrary and potentially malicious JSP code.
For this issue to be exploited, an application must exist on the JRun server that takes browser input, unchecked, and saves it to a file within the web document directory. If the potential attacker can predict where in the hierarchy that file is, it can then be invoked by a deliberately malformed URI. The URI uses JRun's JSP servlet to invoke the target file as a JSP file.
In this way, an attacker can contrive to invoke arbitrary JSP commands on the JRun server. It is possible that a determined attacker could gain administrative control of the server.
Please note that this holds only for the included JRun http server, not any other vendor's web server.
Vendor Response:
Allaire has released a patch that should resolve the issue in JRun 2.3.3. The patch is available for immediate download and application.
JRun 2.3.3 users can find the patch for installation at the following URIs - use the patch appropriate to your platform - instructions for installation are included:
Windows 95/98/NT/2000 and Windows NT Alpha:
http://download.allaire.com/jrun/jr233p_ASB00_28_29.zip
UNIX/Linux patch - GNU gzip/tar:
http://download.allaire.com/jrun/jr233p_ASB00_28_29.tar.gz
Please Note: The patch for ASB00-28 (Non-WebRoot requests security issue) and ASB00-29 (JSP execution of arbitrary file vulnerability) is identical. If you have already installed the patch for one, you do not need to install it for the other.
It is recommended that you back up your existing data before applying any patch.
What Customers Should Do:
Customers should download and apply the patch provided.
Customers should also take this time to review the Allaire Security Best Practices document, 'Security Best Practice: Validating Browser Input', to help prevent this kind of security risk in general.
Please note: As always, customers should test patch changes in a testing environment before modifying production servers.
|
|
|
|
|
|
|
|
|
|
