Allaire JRun 2.3.x Sample Files Vulnerability

A number of vulnerabilities exist in Allaire JRun 2.3.x when the documentation, sample code, examples, and applications as well as tutorials are present on the host server. These are shipped with JRun and should be manually removed in order to circumvent the vulnerabilities.

Remote users may take advantage of these sample files in order to view sensitive information such as the filesystem and system configuration or execute various functions on the server.

Eg.
1) Accessing http://target/servlet/SessionServlet will display all of the current HttpSession ids that are maintained by the server.
2) The viewsource.jsp path checking is disabled by default. This makes it is possible for a remote user to view any file on the server.


 

Privacy Statement
Copyright 2010, SecurityFocus