Re: def-2001-32 - Allaire JRun directory browsing vulnerability

From: David Walker (bugtraqat_private)
Date: Sat Dec 01 2001 - 17:32:53 PST

Next message: Cabezon Aurélien: "Phpnuke Cross site scripting vulnerability"

Previous message: Pavel Kankovsky: "Re: iXsecurity.tool.smbproxy.1.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The most likely cause of this behavior has to do with the character code to 
URL conversion.
The web server converts "/%3f.jsp" to "/?.jsp".  Since the character is 
encoded it is assumed to be a legitimate part of the filename.  
Then the URL "/?.jsp" is passed to JRun which sees it as a request for "/" 
with a query string of ".jsp".

This type of bug could be used to produce other unexpected behavior.
A request for "/myfile.htm%3f.jsp" could possibly result in the JRun serving 
/myfile.htm rather than the web server.  I don't use JRun so I have no way of 
knowing if any of this unexpected behavior happens or might be dangerous.

This type of bug may be discovered in other products that depend on file 
extensions and parse the query string themselves rather than depending on the 
query string the web server sets.

A similar exploit was discovered earlier this year with IIS and .htr files.

On Friday 30 November 2001 02:31 pm, Johan Burati wrote:
> JRUN 3.0 with Netscape-Enterprise/4.1 running on HPUX is vulnerable too.
>
> Regards,
> Johan Burati
>
> -----Original Message-----
> From: Felix Huber [mailto:huberfelixat_private]
> Sent: Friday, November 30, 2001 12:09 AM
> To: bugtraqat_private
> Cc: Stephen Dupre
> Subject: Re: def-2001-32 - Allaire JRun directory browsing vulnerability
>
> > > http://www.victim.com/%3f.jsp
> >
> > Not only IIS is affected, i found vulnerable Sites running Apache
> > 1.3.19/Solaris and Apache 1.3.12/Linux.
>
> I just got a mail from Stephen Dupre (Macromedia), he helped me a lot to
> bring light in this thing. JRun seems to be fine on Solaris/Linux/HPUX (but
> he still investigates this). You can find the Macromedia Advisory here:
> http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full
>
> The problem on the other sites seems to be mod_jk/mod_rewrite or Jserv
> (Apache.org is contacted). But it's still unclear at the moment what causes
> this behavior (Directory Listing).
>
> Simply use the NASL File from my last Mail, it will work in any case. At
> the moment even a large german Webhoster running Linux is vulnerable to
> this.
>
>
> Regards,
> Felix Huber
>
>
> -------------------------------------------------------
> Felix Huber, Security Consultant, Webtopia
> Guendlinger Str.2, 79241 Ihringen - Germany
> huberfelixat_private     (07668)  951 156 (phone)
> http://www.webtopia.de     (07668)  951 157 (fax)
>                                          (01792)  205 724 (mobile)
> -------------------------------------------------------

Next message: Cabezon Aurélien: "Phpnuke Cross site scripting vulnerability"
Previous message: Pavel Kankovsky: "Re: iXsecurity.tool.smbproxy.1.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 07:34:34 PST