Originally Posted: December 6, 2001
Last Updated: January 22, 2002

Summary

Window platforms running the JRun Web Server have a issue handling URLs beginning with "../" that could allow an attacker full file system access to the drive the JRun Web Server and the JRun installation is running on.    The attack compromises system security.

Issue

The issue described in this bulletin exists in JRun 2.3.3, JRun 3.0 and JRun 3.1.    This issue only applies to the Web Server (a.k.a JWS or JRun Web Server) that is part of the installation of JRun.   This is possible only when using a tool like telnet or netcat and issuing HTTP GET commands. This does not affect any other commercial web server (Apache, Netscape, IIS) that communicates with JRun through a connector.

Affected Software Versions

• JRun 3.1 (all editions)
• JRun 3.0 (all editions)
• JRun 2.3.3 (all editions)

Macromedia has published this bulletin, notifying customers of the issue. Macromedia has also released a patch that should resolve the issue in JRun 3.1, 3.0 and 2.3.3.

JRun users can find the patch for installation at the following URIs. Use the patch and JRun version appropriate to your platform. Instructions for installation are included.

Windows: (English)

• JRun 3.1: http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe
• JRun 3.0: http://download.allaire.com/publicdl/en/jrun/30/jr30sp2_25232.exe

Windows: (Japanese)

• JRun 3.1: http://download.allaire.com/publicdl/jp/jrun/31/jrun-31-win-upgrade-ja_30681.exe
• JRun 3.0: http://download.allaire.com/publicdl/jp/jrun/30/jr30sp2_29543.exe

• JRun 3.1: http://download.allaire.com/publicdl/fr/jrun/31/jrun-31-win-upgrade-fr_30681.exe
• JRun 3.0: http://download.allaire.com/publicdl/fr/jrun/30/jr30sp2_29543.exe

UNIX/Linux patch (English) - GNU gzip/tar:

• JRun 3.1: http://download.allaire.com/publicdl/en/jrun/31/jrun-31-unix-upgrade-us_26414.sh
• JRun 3.0: http://download.allaire.com/publicdl/en/jrun/30/jr30sp2u_25232.sh

UNIX/Linux patch (Japanese) - GNU gzip/tar:

• JRun 3.1: http://download.allaire.com/publicdl/jp/jrun/31/jrun-31-unix-upgrade-ja_30681.sh
• JRun 3.0: http://download.allaire.com/publicdl/jp/jrun/30/jr30sp2u_29543.sh

UNIX/Linux patch (French) - GNU gzip/tar:

• JRun 3.1: http://download.allaire.com/publicdl/fr/jrun/31/jrun-31-unix-upgrade-fr_30681.sh
• JRun 3.0: http://download.allaire.com/publicdl/fr/jrun/30/jr30sp2u_29543.sh

Please Note: The patch for MPSB01-09, MPSB01-10, MPSB01-14, MPSB01-15, MPSB01-16, MPSB01-17, MPSB01-18 is identical. If you have already installed the patch for one, you do not need to install it for any of the others.

It is recommended that you back up your existing data before applying any patch.

What Customers Should Do

We strongly encourage customers to download and install this patch immediately.

Please note: As always, customers should test patch changes in a testing environment before modifying production servers.

In addition, it should be noted that the JRun Web Server is a development-only web server.  We do not recommend using the JRun Web Server in production.  Therefore, as a best practice, Macromedia suggests developers make sure the JRun Web Server (default and admin) are inactive on production machines by shutting off both active JRun Web Servers installed by default (admin uses port 8000, default uses port 8100). This should be practiced for any additional JRun Servers you might add that go into production.

Revisions
December 6, 2001 -- Bulletin first created.

Reporting Security Issues
Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue.

Receiving Security Bulletins
When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.

For additional information on security issues at Macromedia, please visit the Security Zone at:
http://www.macromedia.com/security.

ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.