|
|
|
|
| |
| Under certain circumstances, the included JRun 3.0 HTTP server may improperly handle leading path-specifying characters and a deliberately malformed URI will allow browser access to otherwise-forbidden JRun 3.0 resources. |
| |
Credit:
The information has been provided by Allaire Secure.
|
| |
Affected Software versions:
JRun 3.0 (all editions)
JRun 3.0 SP1 (all editions)
Under certain circumstances, submitting a malformed URI to JRun 3.0 will allow browser access to otherwise-forbidden JRun 3.0 resources instead of simply denying the request.
For instance, if a URI resembling http://localhost:8100//WEB-INF/ is furnished, the entire directory under this otherwise-hidden directory will be displayed. Further manipulation of this URI can reveal important JRun configuration information.
Please note that this holds only for the included JRun HTTP server, not any other vendor's web server.
Vendor Response:
Allaire has also released a patch that should resolve the issue in JRun 3.0. The patch is available for immediate download and application.
JRun 3.0 users can find the patch for installation at the following URIs - use the patch appropriate to your platform - instructions for installation are included:
Windows 95/98/NT/2000 and Windows NT Alpha:
http://download.allaire.com/jrun/jrun3.0/extraslashes.ZIP
UNIX/Linux patch - GNU gzip/tar:
http://download.allaire.com/jrun/jrun3.0/extraslashes.tar.gz
It is recommended that you back up your existing data before applying any patch.
Please note: As always, customers should test patch changes in a testing environment before modifying production servers.
|
|
|
|
|
|
|
|
|
|
