首页 -> 安全研究
安全研究
安全漏洞
Allaire JRun目录遍历漏洞
发布日期:2001-12-06
更新日期:2001-12-18
受影响系统:
Allaire JRun 2.3.3描述:
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 x86
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 x86
- RedHat Linux 6.0
- RedHat Linux 6.0 sparc
- SGI IRIX 6.5
- Sun Solaris 7.0
- Sun Solaris 2.6
Allaire JRun 3.0
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- RedHat Linux 6.1 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 x86
- RedHat Linux 6.0
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 x86
- SGI IRIX 6.5
- Sun Solaris 7.0
- Sun Solaris 2.6
Allaire JRun 3.1
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- RedHat Linux 6.1 x86
- RedHat Linux 6.1 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 x86
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0
- SGI IRIX 6.5
- Sun Solaris 8.0
- Sun Solaris 7.0
BUGTRAQ ID: 3666
CVE(CAN) ID: CVE-2001-1544
JRun是由Allaire发布的JSP服务器。
该软件存在一个输入验证漏洞,可能导致目录遍历整个文件系统。
由于JRun没有正确的处理路径标识符,因此远程攻击者可以通过“../”遍历整个文件系统。
<*来源:Macromedia Security Alert (newsflash@macromedia.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-12/0091.html
http://www.allaire.com/Handlers/index.cfm?ID=22265&Method=Full&Cache=Off
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时换用其它安全的JSP服务器,如Apache Tomcat等。
厂商补丁:
Allaire
-------
目前厂商已经发布了补丁以修复此安全问题,请立刻到厂商的主页下载:
Allaire JRun 2.3.3:
Allaire Patch Windows JRun 2.3.3 jp23159w_22129.exe
http://download.allaire.com/publicdl/en/jrun/23/jp23159w_22129.exe
Allaire Patch Unix JRun 2.3.3 jp23159u_22129.tar.gz
http://download.allaire.com/publicdl/en/jrun/23/jp23159u_22129.tar.gz
Allaire JRun 3.0:
Allaire Upgrade Windows JRun 3.0 jr30sp2_25232.exe
http://download.allaire.com/publicdl/en/jrun/30/jr30sp2_25232.exe
Allaire Patch Unix JRun 3.0 jr30sp2u_25232.sh
http://download.allaire.com/publicdl/en/jrun/30/jr30sp2u_25232.sh
Allaire JRun 3.1:
Allaire Upgrade Windows JRun 3.1 jrun-31-win-upgrade-us_26414.exe
http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe
Allaire Patch Unix JRun 3.1 jrun-31-unix-upgrade-us_26414.sh
http://download.allaire.com/publicdl/en/jrun/31/jrun-31-unix-upgrade-us_26414.sh
浏览次数:3803
严重程度:0(网友投票)
绿盟科技给您安全的保障