info and security patch >>


This is a cumulative patch that includes all previously released patches for JRun 3.0, 3.1. This is the first patch for JRun 4.0.


The following vulnerabilities are resolved in this set of patches.

Several .xml and .jsp file "view source" vulnerabilities that affect all versions of JRun using all web servers. This would allow attackers to view restricted files under the WEB-INF directory or .jsp source.
Windows/All Web Servers

Denial-of-service attacks caused by using DOS device names such as aux and con with the suffix .jsp appended
Windows/Microsoft IIS specific

Buffer overflow attacks with large headers or URLs against the ISAPI connector jrun.dll that can allow an attacker to either crash Microsoft IIS or execute attackers code.
A view source vulnerability for restricted .asa, .asp file source by appending %3f.jsp or ?.jsp to a file.