CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
85.7%
Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a
problem handling malformed URLs. This allows a remote user to browse
the file system under the web root (normally \inetpub\wwwroot).
# SPDX-FileCopyrightText: 2005 Felix Huber
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:adobe:jrun";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.10814");
script_version("2023-10-10T05:05:41+0000");
script_tag(name:"last_modification", value:"2023-10-10 05:05:41 +0000 (Tue, 10 Oct 2023)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_cve_id("CVE-2001-1510");
script_name("Allaire/Macromedia JRun Directory Browsing Vulnerability (MPSB01-13) - Active Check");
script_category(ACT_ATTACK); # nb: Crafted request might be already seen as an attack
script_copyright("Copyright (C) 2005 Felix Huber");
script_family("Web Servers");
script_dependencies("gb_microsoft_iis_http_detect.nasl", "gb_adobe_jrun_http_detect.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl");
script_require_ports("Services/www", 8000);
# nb:
# - Seems only affected when running on IIS and not "standalone"
# - JRun KB key has been added because the detection is also detecting the product via other means
# and not only via the banner
script_mandatory_keys("adobe/jrun/http/detected", "microsoft/iis/http/detected");
script_xref(name:"URL", value:"http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/3592");
script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");
script_tag(name:"solution", value:"From Macromedia Product Security Bulletin (MPSB01-13)
Macromedia recommends, as a best practice, turning off directory
browsing for the JRun Default Server in the following applications:
- Default Application (the application with '/' mapping that causes
the security problem)
- Demo Application
Also, make sure any newly created web application that uses the '/'
mapping has directory browsing off.
The changes that need to be made in the JRun Management Console or JMC:
- JRun Default Server/Web Applications/Default User Application/File
Settings/Directory Browsing Allowed set to FALSE.
- JRun Default Server/Web Applications/JRun Demo/File Settings/
Directory Browsing Allowed set to FALSE.
Restart the servers after making the changes and the %3f.jsp request
should now return a 403 forbidden. When this bug is fixed, the request
(regardless of directory browsing setting) should return a '404 page
not found'.
The directory browsing property is called [file.browsedirs]. Changing
the property via the JMC will cause the following changes:
JRun 3.0 will write [file.browsedirs=false] in the local.properties
file. (server-wide change)
JRun 3.1 will write [file.browsedirs=false] in the webapp.properties
of the application.");
script_tag(name:"summary", value:"Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a
problem handling malformed URLs. This allows a remote user to browse
the file system under the web root (normally \inetpub\wwwroot).");
script_tag(name:"affected", value:"Under Windows NT/2000 (any service pack) and IIS 4.0/5.0:
- JRun 3.0 (all editions)
- JRun 3.1 (all editions)");
script_tag(name:"insight", value:"Upon sending a specially formed request to the web server, containing
a '.jsp' extension makes the JRun handle the request. Example:
http://example.com/%3f.jsp");
script_tag(name:"impact", value:"This vulnerability allows anyone with remote access to the web server
to browse it and any directory within the web root.");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"Mitigation");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("list_array_func.inc");
include("host_details.inc");
if( ! port = get_app_port( cpe:CPE, service:"www" ) )
exit( 0 );
if( ! get_app_location( cpe:CPE, port:port, nofork:TRUE ) )
exit( 0 );
foreach dir( make_list_unique( "/", "/images", "/html", http_cgi_dirs( port:port ) ) ) {
install = dir;
if( dir == "/" )
dir = "";
req = http_get( item:dir + "/%3f.jsp", port:port );
res = http_keepalive_send_recv( port:port, data:req );
if( ! res )
continue;
if( egrep( pattern:"Index of /", string:res ) || ( egrep( pattern:"Directory Listing", string:res ) ) )
ddir += http_report_vuln_url( port:port, url:install, url_only:TRUE ) + '\n';
}
if( ! isnull( ddir ) ) {
report = 'The following directories were found to be browsable:\n\n' + ddir;
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );