From george.hedfors@defcom.com Wed Nov 28 15:06:56 2001 From: George Hedfors To: bugtraq@securityfocus.com Date: Wed, 28 Nov 2001 12:54:46 +0100 Subject: def-2001-32 [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-32 Allaire JRun directory browsing vulnerability Author: George Hedfors Release Date: 2001-11-28 ====================================================================== ------------------------=[Brief Description]=------------------------- Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a problem handling malformed URLs. This allows a remote user to browse the file system under the web root (normally \inetpub\wwwroot). ------------------------=[Affected Systems]=-------------------------- Under Windows NT/2000(any service pack) and IIS 4.0/5.0: - JRun 3.0 (all editions) - JRun 3.1 (all editions) ----------------------=[Detailed Description]=------------------------ Upon sending a specially formed request to the web server, containing a '.jsp' extension makes the JRun handle the request. Example: http://www.victim.com/%3f.jsp This vulnerability allows anyone with remote access to the web server to browse it and any directory within the web root. ---------------------------=[Workaround]=----------------------------- >From Macromedia Product Security Bulletin (MPSB01-13) http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full Macromedia recommends, as a best practice, turning off directory browsing for the JRun Default Server in the following applications: - Default Application (the application with '/' mapping that causes the security problem) - Demo Application Also, make sure any newly created web application that uses the "/" mapping has directory browsing off. The changes that need to be made in the JRun Management Console or JMC: - JRun Default Server/Web Applications/Default User Application/File Settings/Directory Browsing Allowed set to FALSE. - JRun Default Server/Web Applications/JRun Demo/File Settings/ Directory Browsing Allowed set to FALSE. Restart the servers after making the changes and the %3f.jsp request should now return a 403 forbidden. When this bug is fixed, the request (regardless of directory browsing setting) should return a "404 page not found". The directory browsing property is called [file.browsedirs]. Changing the property via the JMC will cause the following changes: JRun 3.0 will write [file.browsedirs=false] in the local.properties file. (server-wide change) JRun 3.1 will write [file.browsedirs=false] in the webapp.properties of the application. -----------------------------=[Exploit]=------------------------------ http://[machine]/%3f.jsp http://[machine]/[anydirectory]/%3f.jsp -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendors attention on the 6th of November, 2001. Workaround: Macromedia Product Security Bulletin (MPSB01-13) http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com http://labs.defcom.com ======================================================================