exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

asb00-15.jrun.samplecode

asb00-15.jrun.samplecode
Posted Jul 1, 2000
Site allaire.com

Allaire Security Bulletin (ASB00-15) - JRun 2.3.x includes a number of example applications and sample code that expose security issues. JRun 3.0 addresses the viewsource.jsp issue. Allaire strongly recommends that customers follow the best practice of not installing sample code and documentation on production servers, and removing the sample code and documentation files from production servers and restricting access to those directories where they are installed on workstations.

SHA-256 | 583cfb90648a70c3c326d209d85aa4bf0da94b52d4569f3b24edec6c712872d5

asb00-15.jrun.samplecode

Change Mirror Download
Allaire Security Bulletin (ASB00-15)
Workaround available for vulnerabilities exposed by JRun 2.3.x code sample

Originally Posted: June 22, 2000
Last Updated: June 22, 2000

Summary

JRun 2.3.x includes a number of example applications and sample code that expose security
issues. JRun 3.0 addresses the viewsource.jsp issue. Allaire strongly recommends that
customers follow the best practice of not installing sample code and documentation on
production servers, and removing the sample code and documentation files from production
servers and restricting access to those directories where they are installed on workstations.

Issue

JRun 2.3.x ships with several servlet examples. They are located at the JRUN_HOME/servlets
directory. This directory is pre-configured for use by JRun 2.3.x to load and execute servlets.
The files with a .java or .class extension in this directory must be removed because these
servlets potentially expose otherwise secure information from a production site. For example,
https://hostname/servlet/SessionServlet exposes all of the current HttpSession ids that are
maintained by the server.

Another directory that should be emptied up is the
JRUN_HOME/jsm-default/services/jws/htdocs directory. This directory contains JSP sample
files that demonstrate various functions on the server side. Some of the samples involve
accessing a server's filesystem or exposing a server's configurations. It is absolutely necessary
to remove all of these files from any production site. For example, for viewsource.jsp path
checking is disabled by default and can be used to serve any file from the server's filesystem to
an HTTP client.

Affected Software Versions

JRun 2.3.x (all editions)

What Allaire is Doing

Allaire intends to address the known issues in the next JRun 2.3.3 maintenance release, which
should be available to JRun customers in the third quarter of this year. Until the maintenance
release is available, customers should protect themselves by removing the problematic files from
their servers.

Allaire also publishes Security Best Practices documents. A Security Best Practices document
relevant to removing sample applications and online documentation from production web
servers can be found at:

https://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full

What Customers Should Do

Customers should install the 2.3.3 service pack on all of their servers when it is available.

Furthermore, we recommend that customers remove all documentation, sample code, examples,
and tutorials from production servers. The examples that are installed with JRun 2.3.x are
installed in the JRUN_HOME/servlets directory and the
JRUN_HOME/jsm-default/services/jws/htdocs directory. All files placed in these directories by
the JRun installation should be removed. As a general security best practice, sample code and
example applications should not be installed on production servers.

Acknowledgements

On June 20, 2000 Allaire was first notified of this issue, and on June 22, 2000, Allaire
responded with this Security Bulletin.

Allaire would like to recognize Global Integrity Corporation and Quualudes for helping to identify
some of the issues related to this bulletin.

Revisions
June 22, 2000 -- Bulletin first created.

Reporting Security Issues
Allaire is committed to addressing security issues and providing customers with the information
on how they can protect themselves. If you identify what you believe may be a security issue
with an Allaire product, please send an email to secure@allaire.com. We will work to
appropriately address and communicate the issue.

Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly affects our products
or customers, we will notify customers when appropriate. Typically this notification will be in the
form of a security bulletin explaining the issue and the response. Allaire customers who would
like to receive notification of new security bulletins when they are released can sign up for our
security notification service.

For additional information on security issues at Allaire, please visit the Security Zone at:
https://www.allaire.com/security

THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF
ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Allaire reserves the right, from time to time, to update the information in this document with
current information.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close