Security Advisory: [SA12638] Macromedia JRun Server Multiple Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Multiple Macromedia JRun bugs
  ACROS Security: Unsanitized Session ID Cookie Allows Modifying Server Response
  ACROS Security: Session Fixation in JRun Management Console
  ACROS Security: HTML Injection in JRun Management Console
  [Full-Disclosure] iDEFENSE Security Advisory 10.05.04a: ColdFusion MX 6.1 on IIS File Contents Disclosure

From: SECUNIA <support_(at)_secunia.com>
Date: 28.09.2004
Subject: [SA12638] Macromedia JRun Server Multiple Vulnerabilities

TITLE:
Macromedia JRun Server Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA12638

VERIFY ADVISORY:
http://secunia.com/advisories/12638/

CRITICAL:
Moderately critical

IMPACT:
Hijacking, Cross Site Scripting, Exposure of sensitive information,
DoS

WHERE:
>From remote

SOFTWARE:
Macromedia Jrun 4.x
http://secunia.com/product/863/
Macromedia Jrun 3.x
http://secunia.com/product/3941/

DESCRIPTION:
Multiple vulnerabilities have been reported in JRun Server, which can
be exploited by malicious people to hijack an authenticated user's
session, conduct cross-site scripting attacks, disclose sensitive
information, and cause a DoS (Denial of Service).

1) An implementation error in the generation and handling of
JSESSIONIDs can be exploited to hijack an authenticated user's
session.

2) A cross-site scripting and session handling vulnerability in the
JRun Management Console can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of a
vulnerable site, or hijack an authenticated user's session.

3) An URL parsing error can e.g. be exploited to show the source of
any file such as script files inside the web root by appending
";.cfm" to the end of an URL.

NOTE: This vulnerability only affects the Microsoft IIS connector.

4) A boundary error in the verbose logging module can be exploited to
cause the web server to crash.

Successful exploitation requires that "verbose" debug mode is enabled
for the JRun web server connectors (not enabled by default).

The vulnerabilities have been reported in versions 3.0, 3.1, and 4.0.

SOLUTION:
Apply patches.

JRun 3.0 / 3.1:
See the original vendor advisory

JRun 4.0:
http://www.macromedia.com/support/jrun/updaters.html

PROVIDED AND/OR DISCOVERED BY:
1) @Stake
2) Acros
3+4) iDEFENSE

ORIGINAL ADVISORY:
http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.