SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Macromedia JRun Vendors:   Macromedia
Macromedia JRun Discloses Page Source Code to Remote Users
SecurityTracker Alert ID:  1007161
SecurityTracker URL:  http://securitytracker.com/id/1007161
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 10 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0
Description:   An information disclosure vulnerability was reported in Macromedia's JRun server when running with the Apache web server on Windows-based systems. A remote user can view JSP source code.

It is reported that a remote user can append an encoded space character (%20) to the end of a URL to view the source code of '.jsp' pages. The flaw only affects Apache 1.3.x and 2.x users on Windows platforms, according to the advisory.

Macromedia credits Matthew Argyle of University College Chichester for discovery of the flaw and Jerry Logue of Aquilent for reporting the flaw.

Impact:   A remote user can view page source code.
Solution:   A patch is available (Apache 1.3 and 2.0 connectors):

http://download.macromedia.com/pub/security/mpsb03-04.zip

The patch requires:

JRun 4.0 - JRun 4.0 SP1/Sp1a or JRun 4.0 Updater 2.

See the vendor URL for installation instructions.

Vendor URL:  www.macromedia.com/devnet/security/security_zone/mpsb03-04.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  MPSB03-04 Patch for Apache 1.3.x, 2.0 View Source Vulnerability in


http://www.macromedia.com/devnet/security/security_zone/mpsb03-04.html

MPSB03-04 Patch for Apache 1.3.x, 2.0 View Source Vulnerability in ColdFusion MX and JRun 
4.0 on Windows

Macromedia has issued a patch to correct a source code disclosure vulnerability. 
According to the advisory, a remote user can append an encoded space character (%20) to 
the end of a URL to view the source code of .cfm, .cfc, .cfml (ColdFusion MX), or .jsp 
(JRun) pages.  The flaw only affects Apache 1.3.x and 2.x users on Windows platforms.

The following versions are affected:

ColdFusion MX (Standard Edition)

ColdFusion MX for J2EE (JRun)

JRun 4.0 (All Editions)


A patch is available (Apache 1.3 and 2.0 connectors):

http://download.macromedia.com/pub/security/mpsb03-04.zip

The patch requires:

ColdFusion MX Standard - ColdFusion MX Updater 3 or higher. (Build 58500 in the ColdFusion 
MX administrator)

ColdFusion MX for J2EE JRun or JRun 4.0 - JRun 4.0 SP1/Sp1a or JRun 4.0 Updater 2.

See the vendor advisory for installation instructions.

Macromedia credits Matthew Argyle of University College Chichester for discovery of the 
flaw and Jerry Logue of Aquilent for reporting the flaw.

-----

Severity Rating
Critical



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC