JRun Exposes Sensitive System Information
Reported June 22 by Allaire

VERSIONS AFFECTED
JRun 2.3.x (all editions)

DESCRIPTION

JRun 2.3.x ships with several servlet examples, which are located in the JRUN_HOME/servlets directory. The directory is used by JRun to load and execute servlets. The .java and .class files in this directory can potentially expose sensitive information from a Web site.

For example, the URL http://hostname/servlet/SessionServlet exposes all of the current HttpSession ids that are maintained by the server.

In addition, the JRUN_HOME/jsm-default/services/jws/htdocs directory contains JSP sample files that demonstrate various functions on the server. Some of the samples can access a server"s file system or exposing a server"s configuration information.

For example, for viewsource.jsp path checking is disabled by default and can be used to serve any file from the server"s filesystem to an HTTP client.

VENDOR RESPONSE

Allaire issued a bulletin indicating they intend to address the known issues in the next JRun 2.3.3 maintenance release, which should be available to JRun customers in the third quarter of this year.

Until the maintenance release is available, Allaire customers should protect themselves by removing the problematic files from their servers. Allaire also publishes Security Best Practices documents. A Security Best Practices document relevant to removing sample applications and online documentation from production web servers can be found at: http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full

CREDITS
Discovered and reported by Allaire