Details of VAR-200006-0150

ID

VAR-200006-0150

CVE

CVE-2001-1510

TITLE

Allaire JRun Web Root directory leak vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200112-162

DESCRIPTION

Allaire JRun 2.3.3, 3.0 and 3.1 running on IIS 4.0 and 5.0, iPlanet, Apache, JRun web server (JWS), and possibly other web servers allows remote attackers to read arbitrary files and directories by appending (1) "%3f.jsp", (2) "?.jsp" or (3) "?" to the requested URL. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. By changing the letters in a JSP or a JHTML file extension from lower case to upper case (eg: .jsp or .jhtml becomes .JSP or .JHTML) in a URL the server does not recognize the file extension and sends the file normally. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client. Allaire JRun is a development suite with JSP and Java Servlets for developing web applications. Allaire JRun is prone to an information-disclosure vulnerability because it fails to handle malformed URLs properly. A remote attacker could access the contents under the webserver root directory. Submitting a request for 'http://server/%3f.jsp' could cause JRun to reveal the contents within the web root. It's also possible to view the contents of any subdirectories along with ACL-protected resources. The attacker could exploit this issue to obtain the source of known files residing on the host, including ASP files. NOTE: This vulnerability was originally reported to work on Microsoft IIS hosts only, but other webservers (Apache, Jetty) have been reported vulnerable. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

Trust: 1.8

sources: NVD: CVE-2001-1510 // BID: 1328 // BID: 1578 // BID: 3592 // PACKETSTORM: 86199

AFFECTED PRODUCTS

vendor:	macromedia	model:	jrun	scope:	eq	version:	3.1	Trust: 1.9
vendor:	macromedia	model:	jrun	scope:	eq	version:	3.0	Trust: 1.9
vendor:	macromedia	model:	jrun	scope:	eq	version:	2.3.3	Trust: 1.6
vendor:	unify	model:	ewave servletexec	scope:	eq	version:	3.0	Trust: 0.3
vendor:	ibm	model:	websphere application server	scope:	eq	version:	3.0.2.1	Trust: 0.3
vendor:	bea	model:	systems weblogic server	scope:	eq	version:	4.5.1	Trust: 0.3
vendor:	bea	model:	systems weblogic	scope:	eq	version:	4.0.4	Trust: 0.3
vendor:	bea	model:	systems weblogic	scope:	eq	version:	3.1.8	Trust: 0.3
vendor:	unify	model:	ewave servletexec c	scope:	ne	version:	3.0	Trust: 0.3
vendor:	microsoft	model:	iis	scope:	eq	version:	5.0	Trust: 0.3
vendor:	microsoft	model:	iis	scope:	ne	version:	4.0	Trust: 0.3

sources: BID: 1328 // BID: 1578 // BID: 3592 // CNNVD: CNNVD-200112-162 // NVD: CVE-2001-1510

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2001-1510
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-200112-162
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2001-1510
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0

sources: CNNVD: CNNVD-200112-162 // NVD: CVE-2001-1510

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2001-1510

THREAT TYPE

network

Trust: 0.9

sources: BID: 1328 // BID: 1578 // BID: 3592

TYPE

Unknown

Trust: 0.9

sources: BID: 3592 // CNNVD: CNNVD-200112-162

EXTERNAL IDS

db:	BID	id:	3592	Trust: 2.0
db:	NVD	id:	CVE-2001-1510	Trust: 1.9
db:	XF	id:	7623	Trust: 0.6
db:	ALLAIRE	id:	MPSB01-13	Trust: 0.6
db:	CNNVD	id:	CNNVD-200112-162	Trust: 0.6
db:	BID	id:	1328	Trust: 0.4
db:	BID	id:	1578	Trust: 0.4
db:	PACKETSTORM	id:	86199	Trust: 0.1

sources: BID: 1328 // BID: 1578 // BID: 3592 // PACKETSTORM: 86199 // CNNVD: CNNVD-200112-162 // NVD: CVE-2001-1510

REFERENCES

url:	http://www.securityfocus.com/bid/3592	Trust: 2.6
url:	http://www.macromedia.com/v1/handlers/index.cfm?id=22262&method=full	Trust: 2.6
url:	http://www.iss.net/security_center/static/7623.php	Trust: 2.6
url:	http://online.securityfocus.com/archive/1/242843/2002-07-27/2002-08-02/2	Trust: 2.0
url:	http://online.securityfocus.com/archive/1/243203	Trust: 2.0
url:	http://www.securityfocus.com/archive/1/243636	Trust: 2.0
url:	http://www.servletexec.com/	Trust: 0.3
url:	http://www.beasys.com/products/weblogic/index.html	Trust: 0.3
url:	http://www-4.ibm.com/software/webservers/appserv/efix.html	Trust: 0.3
url:	http://www.microsoft.com/technet/security/bulletin/fq00-058.asp	Trust: 0.3
url:	http://www.allaire.com/products/jrun/index.cfm	Trust: 0.3
url:	http://www.website.com/doc/docindex.jhtml	Trust: 0.1
url:	http://www.website.com/webline/html/admin/wcs/loginpage.jhtml	Trust: 0.1
url:	http://www.website.com/callme/callform.jhtml	Trust: 0.1
url:	http://www.securityfocus.com/bid/1578/info	Trust: 0.1
url:	http://www.cisco.com/en/us/products/ps7233/index.html	Trust: 0.1
url:	http://www.website.com/webline/html/forms/callback.jhtml	Trust: 0.1
url:	http://www.website.com/browserid/wizard.jhtml	Trust: 0.1
url:	http://www.website.com/webline/html/agent/default/badlogin.jhtml	Trust: 0.1
url:	http://www.securityfocus.com/bid/1328/info	Trust: 0.1
url:	http://www.website.com/webline/html/forms/callbackicm.jhtml	Trust: 0.1
url:	http://www.website.com/msccallme/msccallform.jhtml	Trust: 0.1
url:	http://www.website.com/browserid/wizardform.jhtml	Trust: 0.1
url:	http://www.website.com/webline/html/admin/wcs/loginpage.jhtml?oper=&dest=">	Trust: 0.1
url:	http://www.website.com/webline/html/multichatui/nowdefunctwindow.jhtml	Trust: 0.1
url:	http://www.cisco.com/en/us/products/ps7236/index.html	Trust: 0.1
url:	http://www.securityfocus.com/bid/3592/info	Trust: 0.1
url:	https://www.securestate.com/>	Trust: 0.1
url:	http://www.website.com/webline/html/agent/agentframe.jhtml	Trust: 0.1
url:	http://www.website.com/admin/ciscoadmin.jhtml	Trust: 0.1
url:	http://www.cisco.com/en/us/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html	Trust: 0.1

sources: BID: 1328 // BID: 1578 // BID: 3592 // PACKETSTORM: 86199 // CNNVD: CNNVD-200112-162 // NVD: CVE-2001-1510

CREDITS

Discovered by George Hedfors <george.hedfors@defcom.com> of Defcom Labs and published in Macromedia Product Security Bulletin (MPSB01-13) on November 27, 2001.

Trust: 0.9

sources: BID: 3592 // CNNVD: CNNVD-200112-162

SOURCES

db:	BID	id:	1328
db:	BID	id:	1578
db:	BID	id:	3592
db:	PACKETSTORM	id:	86199
db:	CNNVD	id:	CNNVD-200112-162
db:	NVD	id:	CVE-2001-1510

LAST UPDATE DATE

2024-11-22T22:51:42.584000+00:00

SOURCES UPDATE DATE

db:	BID	id:	1328	date:	2000-06-08T00:00:00
db:	BID	id:	1578	date:	2000-08-14T00:00:00
db:	BID	id:	3592	date:	2009-11-03T15:27:00
db:	CNNVD	id:	CNNVD-200112-162	date:	2005-10-20T00:00:00
db:	NVD	id:	CVE-2001-1510	date:	2024-11-20T23:37:51.470

SOURCES RELEASE DATE

db:	BID	id:	1328	date:	2000-06-08T00:00:00
db:	BID	id:	1578	date:	2000-08-14T00:00:00
db:	BID	id:	3592	date:	2001-11-27T00:00:00
db:	PACKETSTORM	id:	86199	date:	2010-02-12T06:51:39
db:	CNNVD	id:	CNNVD-200112-162	date:	2001-12-31T00:00:00
db:	NVD	id:	CVE-2001-1510	date:	2001-12-31T05:00:00