| VID |
22073 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
Window platforms running IIS 4.0/5.0 connected to Allaire JRun 3.0/3.1 have a problem handling URLs with '%3f.jsp' that could allow an attacker file system access under the web server root directory (normally \inetpub\wwwroot).
Example:
http://www.target.com/%3f.jsp
This problem only applies to Microsoft IIS.
* References:
http://www.securiteam.com/windowsntfocus/6N0140035G.html
http://www.iss.net/security_center/static/7623.php |
| Recommendation |
Macromedia recommends, as a best practice, turning off directory browsing for the JRun Default Server in the following applications:
- Default Application (the application with '/' mapping that causes the security problem)
- Demo Application
Also, make sure any newly created web application that uses the '/' mapping has directory browsing off.
The changes that need to be made in the JRun Management Console or JMC:
- JRun Default Server/Web Applications/Default User Application/File Settings/Directory Browsing Allowed set to FALSE.
- JRun Default Server/Web Applications/JRun Demo/File Settings/ Directory Browsing Allowed set to FALSE.
Restart the servers after making the changes and the %3f.jsp request should now return a 403 forbidden. When this bug is fixed, the request (regardless of directory browsing setting) should return a '404 page not found'.
The directory browsing property is called [file.browsedirs]. Changing the property via the JMC will cause the following changes:
JRun 3.0 will write [file.browsedirs=false] in the local.properties file. (server-wide change)
JRun 3.1 will write [file.browsedirs=false] in the webapp.properties of the application. |
| Related URL |
CVE-2001-1510 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
