what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ACROS Security Problem Report 2004-10-14.1

ACROS Security Problem Report 2004-10-14.1
Posted Oct 26, 2004
Authored by Mitja Kolsek, ACROS Security | Site acrossecurity.com

ACROS Security Problem Report #2004-10-14-1 - An HTML injection vulnerability exists in JRun Management Console, enabling attackers to hijack administrative sessions using cross site scripting. Version affected: JRun 4 for Windows, Service Pack 1a, possibly others.

tags | advisory, xss
systems | windows
SHA-256 | 487af986bd012c24d6a3e7e4dfd960e7c9e9331bc24d864abeb1255a1d845802

ACROS Security Problem Report 2004-10-14.1

Change Mirror Download
=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2004-10-14-1
-------------------------------------------------------------------------
ASPR #2004-10-14-1: HTML Injection in JRun Management Console
=========================================================================

Document ID: ASPR #2004-10-14-1-PUB
Vendor: Macromedia (http://www.macromedia.com)
Target: JRun 4 for Windows, Service Pack 1a
Impact: An HTML injection vulnerability exists in JRun
Management Console, enabling attackers to hijack
administrative sessions using cross site scripting
Severity: Medium
Status: Official patch available, workaround available
Discovered by: Mitja Kolsek of ACROS Security

Current version
http://www.acrossecurity.com/aspr/ASPR-2004-10-14-1-PUB.txt


Summary
=======

An HTML injection vulnerability exists in JRun 4 Management Console,
allowing the attacker to acquire the session ID of a management session and
subsequently enter that session without administrator noticing it.


Product Coverage
================

- JRun 4 for Windows, Service Pack 1a - affected

All updaters applied, up to and excluding JRun4 Updater 4.
Other versions may also be affected.


Analysis
========

Cross site scripting is a very common problem with web-based applications.
Basically it is present whenever the server is willing to include user's
input data, which contains some client-side script (e.g. JavaScript), back
to the browser unsanitized, somewhere within the generated web page. This
script, when executed, has access to all information within and about the
received web page, including the cookies.

JRun employs so-called "session cookies" for HTTP session maintenance. After
administrator's login to Management Console, JRun server generates a unique
session identifier (session ID) and sends it to administrator's browser
as a cookie named JSESSIONID. This session ID effectively becomes a static
password for the session, meaning that until the session times out or is
closed by the logged in administrator (by logging off), any browser with
access to port 8000 of JRun server and knowledge of the session ID will have
access to this session, and thereby access to administration of JRun
application servers.


Mitigating Factors
==================

1) Attacker must lure the JRun administrator into visiting a hostile web
site
while he (admin) has an authenticated session with the JRun Management
Console.


Solution
========

Macromedia has issued a security bulletin [1] and published JRun4 Updater 4,
which fixes this issue. Affected users can download the updater from
http://www.macromedia.com/support/jrun/updaters.html


Workaround
==========

- Don't allow potential attackers access to port 8000 of JRun server.
- Don't browse around or read HTML e-mail while administering JRun server.
- Always close all browser instances/windows before logging in to JRun
Management Console.


References
==========

[1] Macromedia Security Bulletin MPSB04-08
http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html


Acknowledgments
===============

We would like to acknowledge Macromedia for response to our notification of
the identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

October 14, 2004: Initial release


Copyright
=========

(c) 2004 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close