Macromedia - MPSB01-06Macromedia Product Security Bulletin (MPSB01-06)

MPSB01-06

Macromedia Product Security Bulletin (MPSB01-06)
JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability)

Originally Posted: June 28, 2001
Last Updated: August 8, 2001

Summary

Accessing a non-existent JSP or Servlet with embedded SCRIPT tags would execute the embedded script on the client browser.

NOTE: Users with the following versions do not need to upgrade: JRun 3.0 sp2a 16777 or higher

Issue

The problem described in this bulletin exists in JRun 3.0 and 2.3.3. If you are using JRun 3.1, you should still refer to the articles mentioned later in this document with regard to best practices concerning related security precautions. A patch is not required for JRun 3.1. The URI's listed below reference various mapping rules set up in JRun by default. Note that the URI's reference a file of type jsp, jrun (from 2.3.3) or jsp10 (from 2.3.3). The form of the URI is:

http://jrun_server:8000/" + opening and closing SCRIPT tag with JavaScript code + "." + file extension

The problem would also manifest itself if you tried accessing a non-existent servlet with an embedded script tag in the format:

http://jrun_server:8000/servlet/" + opening and closing SCRIPT tag with JavaScript code

In all cases the actual files that the URI's refer to are not physically on the server but include embedded SCRIPT tags with actual JavaScript. The script, being part of the requested URI, is returned to the browser as is, embedded within the default error page. The client browser would then recognize the script tag and evaluate the contents once the error page was returned. It was possible to disable this behavior by setting your own HTTP error page as described in Chapter 40 of the "Developing Applications with JRun" 3.x manual. The script was returned to the client browser and executed in the browser due to the way that JRun was processing the page on the server.

Below are examples across the different versions. In all cases, when these URI's were accessed in the browser, the JavaScript code was executed in the client browser and an alert box with the message "Hello World!" was displayed in the browser.

JRun 2.3.3

http://jrun_server:8000/<script>alert('Hello World!');</script>.jsp10 
http://localhost:8000/<script>alert('Hello World!');</script>.jrun
http://localhost:8000/servlet/<script>alert('Hello World!');</script>

JRun 3.0

http://localhost:8000/<script>alert('Hello World!');</script>.jsp 
http://localhost:8000/servlet/<script>alert('Hello World!');</script>

To understand more about the general nature of this issue you should read the following articles:

Affected Software Versions

JRun 3.0 (all editions)
JRun 2.3.3 (all editions)

What Macromedia is Doing

Macromedia has published this bulletin, notifying customers of the problem. Macromedia has also released patches for 3.0 and 2.3.3 that prevent the default error handling from executing the JavaScript. A fix was made so that the error page entitizes the '<' and'>' elements into "<" and">" and thus prevents the script from being interpreted by the client. The patch is included in a post-SP2a release of JRun 3.0 and a post-Build 159 release of 2.3.3.

JRun users can find the patch for installation at the following URIs -- use the patch and JRun version appropriate to your platform -- instructions for installation are included:

Windows 95/98/NT/2000 and Windows NT Alpha:

JRun 3.0:	http://download1.allaire.com/publicdl/en/jrun/30/jr30sp2_MPSB_03_04_05_06.exe
JRun 3.0 (Japanese):	http://download.allaire.com/publicdl/jp/jrun/31/jr30sp2_j_MPSB_03_04_05_06.exe
JRun 3.0 (French):	http://download.allaire.com/publicdl/fr/jrun/31/jr30sp2_fr_MPSB_03_04_05_06.exe
JRun 2.3.3:	http://download1.allaire.com/publicdl/en/jrun/23/jp23159w_MPSB_03_04_05_06.exe

UNIX/Linux patch - GNU gzip/tar:

JRun 3.0:	http://download1.allaire.com/publicdl/en/jrun/30/jr30sp2u_MPSB_03_04_05_06.sh
JRun 3.0 (Japanese):	hhttp://download.allaire.com/publicdl/jp/jrun/31/jr30sp2u_j_MPSB_03_04_05_06.sh
JRun 3.0 (French):	http://download.allaire.com/publicdl/fr/jrun/31/jr30sp2u_fr_MPSB_03_04_05_06.sh
JRun 2.3.3:	http://download1.allaire.com/publicdl/en/jrun/23/jp23159u_MPSB_03_04_05_06.tar.gz

Please Note: The patch for MSPB01-03, MSPB01-04, MSPB01-05, and MSPB01-06 is identical. If you have already installed the patch for one, you do not need to install it for any of the others.

It is recommended that you back up your existing data before applying any patch.

What Customers Should Do

Customers should download and install the patch(es) that are pertinent to their particular installation. Customers should also review to the three articles referred to in the "Issues" section of this bulletin and perform all suggested best practices mentioned in these articles.

Please note: As always, customers should test patch changes in a testing environment before modifying production servers.

Revisions
June 28, 2001 -- Bulletin first created.
August 8, 2001 -- Added links for Japanese and French versions of JRun 3.0.

Reporting Security Issues
Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue.

Receiving Security Bulletins
When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.

For additional information on security issues at Macromedia, please visit the Security Zone at:
http://www.macromedia.com/security.

THE INFORMATION PROVIDED BY MACROMEDIA IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.

Macromedia reserves the right, from time to time, to update the information in this document with current information.