Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities, and not necessarily the severity level for a particular vulnerability.
6/3/2002
CVE 2002-0801
JRun includes an ISAPI filter which is used to process requests
for .jsp files. The filter, which can be found in
the scripts virtual directory, can also be requested
directly. Due to a buffer overflow condition, a remote attacker
who accesses the filter directly could create a denial of service
or execute arbitrary code by sending an overly long Host:
header.
JRun 3.0 and 3.1 are affected by this vulnerability if they have not been patched.
11/21/2002
CAN 2002-1310
The Microsoft Internet Information Server (IIS) ISAPI filters that Macromedia
provides with JRun may be vulnerable to a buffer overflow
attack. When URLs longer than 8,192 characters or with HTTP headers longer
than 4,096 characters are requested, IIS can become unresponsive. It is not
necessary that the requested URL exist. This vulnerability could be used to
construct a denial of service attack. In addition, it is possible that
the various structures in the process heap can be overwritten in such a way
as to gain control of the remote IIS process with SYSTEM level access.
JRun 3.0, 3.1 and 4.0 are affected by this vulnerability if they have not been patched.
CVE 2000-1050
CVE 2001-0179
This vulnerability could allow an attacker to view
arbitrary files or directories that are supposed to be hidden,
such as the WEB-INF directory.
This is accomplished by sending a malformed request which
includes an extraneous slash character before the directory
name. It could also be possible to read the web.xml
file. JRun 3.0 and 3.0 SP1 are vulnerable to this attack.
CVE 2000-1051
CAN 2000-1052
This vulnerability could allow an attacker to view
arbitrary files. By making a request to the
SSIFilter servlet including the "../"
string, it is possible to escape from the web root and view
any file on the system. JRun 2.3.3 is affected by this
vulnerability.
CAN 2000-1053
This vulnerability could allow an attacker to execute
arbitrary commands on the server. In order to exploit this
vulnerability, there would need to be an application on the
server which writes user input to a file on the server. The
attacker would need to be able to guess the location of that
file. By putting JSP commands in the input to the
application, and then executing the resulting file as a JSP
page using the JSP servlet, arbitrary code could be executed
on the server. JRun 2.3.3 is affected by this vulnerability.
12/4/2001
Normally, web servers prevent the directory listing from
being displayed when a directory on the web server is requested.
However, by requesting a URL-encoded question mark followed by
the .jsp extension, JRun will return a directory
listing for the web document root, or any directory under the
web document root. Although this vulnerability would not grant
an attacker immediate access, it could be used to discover
potentially vulnerable files on the server, which could then be
used in a future attack. JRun 3.0 and 3.1 with Microsoft IIS web servers
are affected by this vulnerability.