From matt@westpoint.ltd.uk Mon Jul 1 04:04:18 2002 From: Matt Moore To: vulnwatch@vulnwatch.org Date: Fri, 28 Jun 2002 16:37:50 +0100 Subject: [VulnWatch] wp-02-0009: Macromedia JRun Admin Server Authentication Bypass Westpoint Security Advisory Title: Macromedia JRun Admin Server Authentication Bypass Risk Rating: Medium Software: Macromedia JRun Platforms: WinNT, Win2k, *nix Vendor URL: www.macromedia.com Author: Matt Moore Date: 28th June 2002 Advisory ID#: wp-02-0009.txt Overview: ========= JRun is Macromedia's servlet / jsp engine. It installs an web based administration console on TCP port 8000. Before using the console users are required to login via an HTML form. This form can be bypassed, and administrative functions accessed without authentication. Details: ======== The login form is the default page served up by the server on port 8000. By inserting an extra '/' in the URL we bypass the login form and gain access to the web based admin console, e.g. http://JRun-Server// We do not have unrestricted access to the admin console - clicking on further links returns you to the login page. However, by requesting the desired admin function in the initial URL we bypass this restriction also, e.g: JRun-Server:8000//welcome.jsp?&action=stop&server=default will shutdown the 'default' JRun server instance on port 8100. Other administrative functions can also be accessed. Patch Information: ================== Macromedia have produced a cumulative patch for JRun 3.0/3.1/4.0, availability of which is described in the bulletin at: http://www.macromedia.com/v1/handlers/index.cfm?ID=23164 This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0009.txt