Nessus Plugin #10814
Plugin Index
Note: This file has been created from a
downloaded version of the Nessus Plugins
from
http://www.nessus.org/.
Therefore, the information here can be outdated.
Allaire JRun directory browsing vulnerability
- Family:
- CGI abuses
- Category:
- infos
- Copyright:
- This script is Copyright (C) 2001 Felix Huber
- Summary:
- Allaire JRun directory browsing vulnerability
- Version:
- $Revision: 1.11 $
- Cve_id:
- -
- Bugtraq_id:
- 3592
- Xrefs:
- -
- Description:
Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a
problem handling malformed URLs. This allows a remote user to browse
the file system under the web root (normally \inetpub\wwwroot).
Under Windows NT/2000(any service pack) and IIS 4.0/5.0:
- JRun 3.0 (all editions)
- JRun 3.1 (all editions)
Upon sending a specially formed request to the web server, containing
a '.jsp' extension makes the JRun handle the request. Example:
http://www.victim.com/%3f.jsp
This vulnerability allows anyone with remote access to the web server
to browse it and any directory within the web root.
Solution:
>From Macromedia Product Security Bulletin (MPSB01-13)
http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full
Macromedia recommends, as a best practice, turning off directory
browsing for the JRun Default Server in the following applications:
- Default Application (the application with '/' mapping that causes
the security problem)
- Demo Application
Also, make sure any newly created web application that uses the '/'
mapping has directory browsing off.
The changes that need to be made in the JRun Management Console or JMC:
- JRun Default Server/Web Applications/Default User Application/File
Settings/Directory Browsing Allowed set to FALSE.
- JRun Default Server/Web Applications/JRun Demo/File Settings/
Directory Browsing Allowed set to FALSE.
Restart the servers after making the changes and the %3f.jsp request
should now return a 403 forbidden. When this bug is fixed, the request
(regardless of directory browsing setting) should return a '404 page
not found'.
The directory browsing property is called [file.browsedirs]. Changing
the property via the JMC will cause the following changes:
JRun 3.0 will write [file.browsedirs=false] in the local.properties
file. (server-wide change)
JRun 3.1 will write [file.browsedirs=false] in the webapp.properties
of the application.
Risk factor : Medium
Generiert am 27.04.2005 um 18:49:54 Uhr.