COMMAND

    JRun

SYSTEMS AFFECTED

    JRun 3.0

PROBLEM

    Following is based on  a Foundstone Security Advisory  by Shreeraj
    Shah, Saumil  Shah and  Stuart McClure.   A severe  security  flaw
    exists  with  Allaire's  JRun  3.0  allowing an attacker to access
    WEB-INF directories on the JRun 3.0 server.  The WEB-INF directory
    tree  contains  web  application  classes, pre-compiled JSP files,
    server  side  libraries,  session  information  and  files such as
    web.xml and webapp.properties.

    JRun 3.0 can be  made to run as  a stand-alone web server  on port
    8100.   The  directory  <jrun_install_dir>/servers/default   holds
    different web applications hosted in it.

    The  directory  <jrun_install_dir>/servers/default/default-app  is
    the  web  document  root  for  the  default web application.  This
    application  is  mapped   to  http://site.running.jrun:8100/,   if
    accesed via a web browser.

    Other web application directories are  set up in a similar  manner
    as follows:

        <jrun_install_dir>/servers/default/app1
        <jrun_install_dir>/servers/default/app2 ... etc.

    Their URLs would be mapped as:

        http://site.running.jrun:8100/app1,
        http://site.running.jrun:8100/app2,...

    and so on, depending on the configuration.

    Each web application directory  contains a WEB-INF directory  tree
    which  contains  configuration  files,  server  side   components,
    libraries  and  other   application  related  information.    This
    directory is not visible to the client.  If the WEB-INF  directory
    is requested by a web browser by the following URL:

        http://site.running.jrun:8100/WEB-INF/

    the server responds with a  403 Forbidden error code.   However it
    is possible to access this directory via the following URL:

        http://site.running.jrun:8100//WEB-INF/

    This  causes  the  entire  directory  tree  under  WEB-INF  to  be
    displayed  and  eventually  files  under  this  directory  can  be
    accessed.  For example:

        http://site.running.jrun:8100//WEB-INF/web.xml
        http://site.running.jrun:8100//WEB-INF/webapp.properties

    would   allow   remote   attackers   to   view   the  web.xml  and
    webapp.properties in  the WEB-INF  directory.   Attackers can also
    access   critical   resources   such   as   class  files,  session
    information, etc.

    Prefixing the path to WEB-INF by / in the URL causes the directory
    structure within WEB-INF to be displayed:

        http://site.running.jrun:8100//WEB-INF/

SOLUTION

    Follow  the  recommendations  given  in  Allaire Security Bulletin
    ASB00-27.