|
|
|
|
| |
| Under certain circumstances, the included JRun 2.3.3 HTTP server may improperly handle a deliberately malformed URI, which will allow browser access to non-webroot resources. |
| |
Credit:
The information has been provided by Allaire Secure.
|
| |
Affected Software versions:
JRun 2.3.3 (all editions)
Submitting a malformed URI to JRun 2.3.3 will allow browser access to non-webroot resources instead of simply denying the request.
For instance, if a URI resembling:
http://www.example.com:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../../../../../../winnt/repair/sam.
Is submitted, the password database will be displayed. Further manipulation of this URI can retrieve any other file from the drive the server webroot resides on.
Please note that this holds only for the included JRun http server, not any other vendor's web server.
Vendor Response:
Allaire has also released a patch that should resolve the issue in JRun 2.3.3. The patch is available for immediate download and application.
JRun 2.3.3 users can find the patch for installation at the following URIs - use the patch appropriate to your platform - instructions for installation are included:
Windows 95/98/NT/2000 and Windows NT Alpha:
http://download.allaire.com/jrun/jr233p_ASB00_28_29.zip
UNIX/Linux patch - GNU gzip/tar:
http://download.allaire.com/jrun/jr233p_ASB00_28_29.tar.gz
Please Note:
The patch for ASB00-28 ("Non WebRoot requests security issue") and ASB00-29 ("JSP execution of arbitrary file vulnerability") is identical. If you have already installed the patch for one, you do not need to install it for the other.
It is recommended that you back up your existing data before applying any patch.
|
|
|
|
|
|
|
