Westpoint Security Advisory

Title: 		Macromedia JRun Admin Server Authentication Bypass		
Risk Rating:	Medium
Software: 	Macromedia JRun 4
Platforms:	WinNT, Win2k, *nix	
Vendor URL: 	www.macromedia.com
Author:		Matt Moore <matt@westpoint.ltd.uk>	
Date:		28th June 2002
Advisory ID#:	wp-02-0009.txt
CVE#:           CAN-2002-0665

JRun is Macromedia's servlet / jsp engine. It installs an web based administration
console on TCP port 8000. Before using the console users are required to login via
an HTML form. This form can be bypassed, and administrative functions accessed
without authentication.

The login form is the default page served up by the server on port 8000. 
By inserting an extra '/' in the URL we bypass the login form and gain 
access to the web based admin console, e.g. 


We do not have unrestricted access to the admin console - clicking on further links
returns you to the login page. However, by requesting the desired admin function 
in the initial URL we bypass this restriction also, e.g:


will shutdown the 'default' JRun server instance on port 8100. Other administrative
functions can also be accessed.

Patch Information:

Macromedia have produced a cumulative patch for JRun,
availability of which is described in the bulletin at:


This advisory is available online at:


Designed & Built by e3creative