COMMAND

    JRun

SYSTEMS AFFECTED

    JRun 2.3.x (all editions)

PROBLEM

    Following  is  based  on  Allaire  Security  Bulletin.  JRun 2.3.x
    includes a  number of  example applications  and sample  code that
    expose security  issues.   JRun 3.0  addresses the  viewsource.jsp
    issue.   Allaire  strongly  recommends  that  customers follow the
    best practice of not  installing sample code and  documentation on
    production servers, and removing the sample code and documentation
    files  from  production  servers  and  restricting access to those
    directories where they are installed on workstations.

    JRun 2.3.x ships with several servlet examples.  They are  located
    at   the   JRUN_HOME/servlets   directory.    This   directory  is
    pre-configured for use by JRun 2.3.x to load and execute servlets.
    The files with a .java or .class extension in this directory  must
    be  removed  because  these  servlets potentially expose otherwise
    secure information from a production site.  For example,

        http://hostname/servlet/SessionServlet

    exposes all of the current HttpSession ids that are maintained  by
    the server.

    Another   directory   that   should   be   emptied   up   is   the
    JRUN_HOME/jsm-default/services/jws/htdocs    directory.       This
    directory  contains  JSP  sample  files  that  demonstrate various
    functions  on  the  server  side.   Some  of  the  samples involve
    accessing   a   server's   filesystem   or   exposing  a  server's
    configurations.  It is absolutely necessary to remove all of these
    files from any production  site.  For example,  for viewsource.jsp
    path checking is disabled by default and can be used to serve  any
    file from the server's filesystem to an HTTP client.

SOLUTION

    Allaire intends to address the known issues in the next JRun 2.3.3
    maintenance release, which should  be available to JRun  customers
    in the third quarter of this year.  Until the maintenance  release
    is available, customers should protect themselves by removing  the
    problematic  files  from  their  servers.   Allaire also publishes
    Security  Best  Practices  documents.   A  Security Best Practices
    document  relevant  to  removing  sample  applications  and online
    documentation from production web servers can be found at:

        http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full

    Customers should install  the 2.3.3 service  pack on all  of their
    servers when it is available.  Furthermore, it is recommended that
    customers  remove  all  documentation,  sample code, examples, and
    tutorials  from  production  servers.    The  examples  that   are
    installed with JRun 2.3.x are installed in the  JRUN_HOME/servlets
    directory   and   the    JRUN_HOME/jsm-default/services/jws/htdocs
    directory.   All files  placed in  these directories  by the  JRun
    installation  should  be  removed.   As  a  general  security best
    practice,  sample  code  and  example  applications  should not be
    installed on production servers.