SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Macromedia JRun Vendors:   Adobe Systems Incorporated, Macromedia
JRun Server Discloses Source Code to Remote Users and Lets Remote Users Deny Service
SecurityTracker Alert ID:  1015370
SecurityTracker URL:  http://securitytracker.com/id/1015370
CVE Reference:   CVE-2005-4472, CVE-2005-4473   (Links to External Site)
Updated:  Dec 22 2005
Original Entry Date:  Dec 16 2005
Impact:   Denial of service via network, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0
Description:   Two vulnerabilities were reported in JRun. A remote user may be able to view source code. A remote user may also be able to cause denial of service conditions.

A remote user can supply a specially crafted URL to cause the JRun server to display web application source code.

A remote user can supply a specially crafted URL or HTTP header to trigger a flaw in the JRun Web Server and cause denial of service conditions on the target server.

Adobe credits Alex Daley with reporting the view source vulnerability and iDEFENSE with reporting the JWS vulnerability.

Impact:   A remote user can view web application source code.

A remote user can cause denial of service conditions.

Solution:   The vendor has issued a fix (JRun 4.0 Updater 6 release) as part of a cumulative update, available at:

http://www.macromedia.com/go/jrun_updater

Vendor URL:  www.macromedia.com/devnet/security/security_zone/mpsb05-13.html (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Adobe Security Bulletins


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Adobe Security Bulletins: 

- Flash Media Server 
- ColdFusion MX 6.X 
- JRun 4.0 server 
- ColdFusion MX 7  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Vulnerability in Flash Media Server 

Originally posted: December 15, 2005

Summary: 
This bulletin addresses a publicly reported security issue 
with Flash Media Server.

Affected Software Versions: 
* Flash Media Server 2.0
* Flash Media Server 1.5

Severity Rating: 
Adobe categorizes this issue as important and recommends 
users apply this workaround to their installations:  
http://www.macromedia.com/go/mpsb05-11 

Learn more: 
http://www.macromedia.com/go/mpsb05-11 

~~~~~~~ 

MPSB05-12 Sandbox Security and CFMAIL Vulnerability in 
ColdFusion MX 6.X 

Originally posted: December 15, 2005

Summary: 
This bulletin addresses two (2) privately reported security 
issues with ColdFusion 6.X. 

Affected Software Versions: 
ColdFusion MX 6.0 
ColdFusion MX 6.1 
ColdFusion MX 6.1 with JRun 

Severity Rating: 
Adobe categorizes this issue as a important issue and 
recommends users patch their installations.

Learn more: 
http://www.macromedia.com/go/mpsb05-12 

~~~~~~~ 

MPSB05-13 Cumulative Security Updater for JRun 4.0 
server 

Originally posted: December 15, 2005

Summary: 
This is a cumulative security updater for JRun server 
that includes all previously released patches for 4.0. 

Affected Software Versions:  
JRun 4.0 (all editions) 

Severity Rating: 
Adobe categorizes this issue as a important issue 
and recommends users patch their installations.

Learn more: 
http://www.macromedia.com/go/mpsb05-13 

~~~~~~~ 

MPSB05-14 Cumulative Security Updater for ColdFusion MX 7 

Originally posted: December 15, 2005

Summary:  
This is a cumulative security updater for ColdFusion MX 7 
server that includes all previously released patches. 

Affected Software Versions: 
ColdFusion MX 7.0

Severity Rating: 
Adobe categorizes this issue as a important issue and 
recommends users patch their installations.

Learn more: 
http://www.macromedia.com/go/mpsb05-14 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS, OR FIXES 
PROVIDED BY ADOBE IN THIS BULLETIN ARE PROVIDED "AS IS" 
WITHOUT WARRANTY OF ANY KIND. ADOBE AND ITS SUPPLIERS 
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR 
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY 
AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO 
WARRANTY OF NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT. 
(USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF 
IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY 
TO YOU. IN NO EVENT SHALL ADOBE, INC. OR ITS SUPPLIERS BE 
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT 
LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, 
SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS 
INTERRUPTION, OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, 
BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF 
CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), 
PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADOBE, INC. OR ITS 
SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF 
THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES 
DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR 
CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION 
OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE 
OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. 

Adobe reserves the right, from time to time, to update 
the information in this document with current information. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
This is a security message from Adobe Systems Incorporated, 
San Jose, CA  95110 USA. If you would prefer not to receive 
e-mail like this from Adobe in the future, please respond 
or send an e-mail to: 
direct@adobesystems-macromedia.com 

Your privacy is important to us. Please review Adobe's online 
Privacy Policy by clicking here:  
http://www.adobe.com/misc/privacy.html 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC