OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matt Moore (mattwestpoint.ltd.uk)
Date: Fri Jun 28 2002 - 10:37:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Westpoint Security Advisory

    Title: Macromedia JRun Admin Server Authentication Bypass
    Risk Rating: Medium
    Software: Macromedia JRun
    Platforms: WinNT, Win2k, *nix
    Vendor URL: www.macromedia.com
    Author: Matt Moore <mattwestpoint.ltd.uk>
    Date: 28th June 2002
    Advisory ID#: wp-02-0009.txt

    Overview:
    =========
    JRun is Macromedia's servlet / jsp engine. It installs an web based
    administration
    console on TCP port 8000. Before using the console users are required to
    login via
    an HTML form. This form can be bypassed, and administrative functions
    accessed
    without authentication.

    Details:
    ========
    The login form is the default page served up by the server on port 8000.
    By inserting an extra '/' in the URL we bypass the login form and gain
    access to the web based admin console, e.g.

    http://JRun-Server//

    We do not have unrestricted access to the admin console - clicking on
    further links
    returns you to the login page. However, by requesting the desired admin
    function
    in the initial URL we bypass this restriction also, e.g:

    JRun-Server:8000//welcome.jsp?&action=stop&server=default

    will shutdown the 'default' JRun server instance on port 8100. Other
    administrative
    functions can also be accessed.

    Patch Information:
    ==================

    Macromedia have produced a cumulative patch for JRun 3.0/3.1/4.0,
    availability of which is described in the bulletin at:

    http://www.macromedia.com/v1/handlers/index.cfm?ID=23164

    This advisory is available online at:

    http://www.westpoint.ltd.uk/advisories/wp-02-0009.txt