From labs@FOUNDSTONE.COM Mon Oct 23 22:07:43 2000 From: Foundstone Labs To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 23 Oct 2000 11:26:33 -0700 Subject: [BUGTRAQ] Allaire's JRUN Unauthenticated Access to WEB-INF directory [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Allaire's JRUN ---------------------------------------------------------------------- FS Advisory ID: FS-102300-12-JRUN Release Date: October 23, 2000 Product: JRun 3.0 Vendor: Allaire Inc. (http://www.allaire.com) Vendor Advisory: http://www.allaire.com/security/ Type: Unauthenticated Access to WEB-INF directory Severity: High Author: Shreeraj Shah (shreeraj.shah@foundstone.com) Saumil Shah (saumil.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems Vulnerable versions: JRun 3.0 Foundstone Advisory: http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13 ---------------------------------------------------------------------- Description A severe security flaw exists with Allaire's JRun 3.0 allowing an attacker to access WEB-INF directories on the JRun 3.0 server. The WEB-INF directory tree contains web application classes, pre-compiled JSP files, server side libraries, session information and files such as web.xml and webapp.properties. Details JRun 3.0 can be made to run as a stand-alone web server on port 8100. The directory /servers/default holds different web applications hosted in it. The directory /servers/default/default-app is the web document root for the default web application. This application is mapped to http://site.running.jrun:8100/, if accesed via a web browser. Other web application directories are set up in a similar manner as follows: /servers/default/app1 /servers/default/app2 ... etc. Their URLs would be mapped as: http://site.running.jrun:8100/app1, http://site.running.jrun:8100/app2,... and so on, depending on the configuration. Each web application directory contains a WEB-INF directory tree which contains configuration files, server side components, libraries and other application related information. This directory is not visible to the client. If the WEB-INF directory is requested by a web browser by the following URL: http://site.running.jrun:8100/WEB-INF/ the server responds with a 403 Forbidden error code. However it is possible to access this directory via the following URL: http://site.running.jrun:8100//WEB-INF/ This causes the entire directory tree under WEB-INF to be displayed and eventually files under this directory can be accessed. For example: http://site.running.jrun:8100//WEB-INF/web.xml http://site.running.jrun:8100//WEB-INF/webapp.properties would allow remote attackers to view the web.xml and webapp.properties in the WEB-INF directory. Attackers can also access critical resources such as class files, session information, etc. Proof of concept Prefixing the path to WEB-INF by / in the URL causes the directory structure within WEB-INF to be displayed. http://site.running.jrun:8100//WEB-INF/ Solution Follow the recommendations given in Allaire Security Bulletin ASB00-27, available at: http://www.allaire.com/security/ Credits We would also like to thank Allaire Inc. for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.