COMMAND

    JRun

SYSTEMS AFFECTED

    JRun 3.0

PROBLEM

    Following is based on  a Foundstone Security Advisory  by Shreeraj
    Shah,  Saumil  Shah  and  Stuart  McClure.   A  denial  of service
    vulnerability exists within the  Allaire JRun 3.0 web  application
    server which allows an attacker to bring down the JRun application
    server engine.

    JRun3.0  is  a  Java  application  server,  supporting Java Server
    Pages, Java  servlets and  other Java  related technologies.   The
    /servlet URL prefix is mapped as a handler for invoking servlets.

    Servlets are stored in a hierarchical manner and are accessed  via
    a naming convention of the type:

        <dir>.<dir>. ... <dir>.<servlet>

    Hence if a servlet called  test is stored under com/site/test,  it
    is invoked by the URL:

        http://site.running.jrun/servlet/com.site.test

    If  a  large  string  of  dots  is  placed after the /servlet/ URL
    prefix, such as:

        http://site.running.jrun/servlet/................ (hundreds of "."s)

    it  gets  interpreted  as  a  very  large  tree  of   non-existent
    directories when looking  for the servlet.   This causes the  JRun
    server engine to  temporarily consume system  resources at a  high
    priority, and brings about a temporary denial of services for  the
    JRun server engine. Other services do not get affected.

    If  many  such  URL  requests  are  made,  the  JRun server engine
    (specifically the javaw process) does not recover.  All other JRun
    dependent requests get denied.

SOLUTION

    Follow  the  recommendations  given  in  Allaire Security Bulletin
    ASB00-30, available at: http://www.allaire.com/security/