header-logo
Suggest Exploit
vendor:
Jrun
by:
SecurityFocus
7.5
CVSS
HIGH
Arbitrary File Access
22
CWE
Product Name: Jrun
Affected Version From: Jrun 3.0
Affected Version To: Jrun 4.0
Patch Exists: NO
Related CWE: N/A
CPE: a:macromedia:jrun
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: All
2002

Jrun Arbitrary File Access Vulnerability

Jrun contains a vulnerability that allows a user to compile and execute JSP code from an arbitrary file on the webserver's filesystem. This bug is due to the way JSP execution is invoked -- if a requested filename/path is prefixed with '/servlet/'. If a user specifies "../" paths as part of a "/servlet/" request, it is possible to access documents outside of the webroot. The document specified (the complete path must be known by the attacker) will then be compiled and executed as a JSP script. This can be a serious vulnerability if an attacker can send user-input to a file on the filesystem.

Mitigation:

Ensure that all user-input is properly sanitized and that all files are stored outside of the webroot.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1831/info


Jrun contains a vulnerability that allows a user to compile and execute JSP code from an arbitrary file on the webserver's filesystem. This bug is due to the way JSP execution is invoked -- if a requested filename/path is prefixed with '/servlet/'. If a user specifies "../" paths as part of a "/servlet/" request, it is possible to access documents outside of the webroot. 

The document specified (the complete path must be known by the attacker) will then be compiled and executed as a JSP script. This can be a serious vulnerability if an attacker can send user-input to a file on the filesystem. An example of this is a guestbook application - a malicious user could put JSP code into a guestbook file and then have it executed through this bug (as long as the location of the file is known). 

If exploited successfully this can lead to a complete compromise of the host.

http://target/servlet/com.livesoftware.jrun.plugins.jsp.JSP/../../path/to/filename

http://target/servlet/jsp/../../path/to/filename

Navigation

Suggest Exploit

Services By CQR