Disclosure Vulnerability in Allaire JRun for Microsoft Internet Information Server

Reported November 28, 2001, by Defcom Labs.

VERSIONS AFFECTED

  • Allaire JRun 3.1 and 3.0

 

DESCRIPTION
A vulnerability exists in Allaire’s JRun for Microsoft Internet Services (IIS) 5.0 and Internet Information Server (IIS) 4.0 that a remote user can exploit to read any file or directory located within webroot. By appending the request with “%3f.jsp”, an attacker can read the webroot files.

 

VENDOR RESPONSE

The vendor, Allaire, released security bulletin MPSB01-13 to address this vulnerability and recommends that affected users immediately turn off directory browsing of the JRun Default Server for Default Application and Demo Application. The bulletin lists several other steps that Allaire customers should follow to protect themselves from this vulnerability

 

CREDIT
Discovered by George Hedfors of Defcom Labs.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish