| VID |
22072 |
| Severity |
30 |
| Port |
8000, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
Allaire JRun Web Server version 3.0 could allow a remote attacker to obtain directory listings.
Requesting a URL with '/./' prepended to it makes the remote the JRun Web Server display the content of a remote directory, instead of its index.html file. And the remote attacker also can submit a specially-crafted URL containing "/./WEB-INF/" to obtain a directory listing and view files from the WEB-INF directory. |
| Recommendation |
Apply the latest Service Pack for JRun 3.0 (SP2 or later), as listed in Allaire Security Bulletin ASB01-02. See References. |
| Related URL |
CVE-2001-0179 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
6008 (ISS) |
|
