In-Reply-To: <PKEMKDGKMFGJMOHGPHFPAEBJCAAA.george.hedfors@defcom.com> Here are some HTTP header dumps from different web servers that are vulnerable to the \%3f.jsp directory content vulnerability HTTP/1.0 200 OK Date: Fri, 30 Nov 2001 03:43:27 GMT Server: Jetty/3.1.RC8 (Linux 2.2.16-22enterprise x86) Servlet-Engine: Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.3.0) HTTP/1.1 200 OK Date: Fri, 30 Nov 2001 04:00:20 GMT Server: Apache/1.3.20 (Linux/SuSE) mod_jk Last-Modified: Thu, 01 Nov 2001 21:20:47 GMT HTTP/1.1 302 Found Date: Fri, 30 Nov 2001 04:03:07 GMT Server: Apache/1.3.14 (Unix) PHP/4.0.6 ApacheJServ/1.1.2 Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1; Servlet 2.2; Java 1. 5.8 sparc; java.vendor=Sun Microsystems Inc.) mad love to securityfocus.com.... -slow2show- University of Florida >Received: (qmail 16045 invoked from network); 29 Nov 2001 23:59:04 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.27) > by mail.securityfocus.com with SMTP; 29 Nov 2001 23:59:04 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 8AADDA3397; Thu, 29 Nov 2001 11:10:59 -0700 (MST) >Mailing-List: contact bugtraq- help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq- help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq- unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq- subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 18871 invoked from network); 29 Nov 2001 11:03:11 -0000 >From: "George Hedfors" <george.hedfors@defcom.com> >To: "Felix Huber" <huberfelix@webtopia.de>, > "BugTraq" <bugtraq@securityfocus.com> >Subject: RE: def-2001-32 - Allaire JRun directory browsing vulnerability >Date: Thu, 29 Nov 2001 12:03:57 +0100 >Message-ID: <PKEMKDGKMFGJMOHGPHFPAEBJCAAA.george.h edfors@defcom.com> >MIME-Version: 1.0 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 >Importance: Normal >In-Reply-To: <020401c178c4$3b322630 $0205a8c0@athlon> > >That Apache must be running some JRun engine, could you find out wich? > >Regards, George > >-----Original Message----- >From: Felix Huber [mailto:huberfelix@webtopia.de] >Sent: den 29 november 2001 11:55 >To: George Hedfors; bugtraq@securityfocus.com >Subject: Re: def-2001-32 - Allaire JRun directory browsing vulnerability > > >> ------------------------=[Affected Systems]=------------- ------------- >> Under Windows NT/2000(any service pack) and IIS 4.0/5.0: >> - JRun 3.0 (all editions) >> - JRun 3.1 (all editions) >> ----------------------=[Detailed Description]=------------ ------------ >> Upon sending a specially formed request to the web server, containing >> a '.jsp' extension makes the JRun handle the request. Example: >> >> http://www.victim.com/%3f.jsp > >Not only IIS is affected, i found a vulnerable Site running Apache 1.3.19 on >Solaris. > >A NASL Script is attached to find affected systems. > > >MfG >Felix Huber > > >------------------------------------------------------- >Felix Huber, Security Consultant, Webtopia >Guendlinger Str.2, 79241 Ihringen - Germany >huberfelix@webtopia.de (07668) 951 156 (phone) >http://www.webtopia.de (07668) 951 157 (fax) > (01792) 205 724 (mobile) >------------------------------------------------------- > > > > >
