Allaire JRun SSI Arbitrary File Source Disclosure Vulnerability
Allaire JRun is a web application development suite with JSP and Java Servlets. JRun supports Server Side Includes (SSI), SSI allows a webmaster to include various files in an otherwise static HTML file. Variables which might be included could be the current time on a website or last modified date and time etc. By default, file extension associated to the SSI handler is .shtml.
JRun contains a vulnerability that allows a user to access the contents of files within the webroot. Submitting a specially crafted request for a non-existent .shtml file along with a known file, will reveal the contents of the known file residing on the host. This issue results because of a flaw in a Server Side component which handles requests for SSI pages. Files which are interpreted as executable content (JSP scripts) will have their possibly sensitive source code output if requested using this vulnerability.
It is also possible for attackers to execute arbitrary Java servlets, regardless of whether the mapping has been disabled.
JRun access controls set on files will not prevent their disclosure.