CVE 2000-1050
CVE 2001-0179
The first vulnerability could allow an attacker to view
arbitrary files or directories that are supposed to be hidden,
such as the WEB-INF directory.
This is accomplished by sending a malformed request which
includes an extraneous slash character before the directory
name. It could also be possible to read the web.xml
file. JRun 3.0 and 3.0 SP1 are vulnerable to this attack.
CVE 2000-1051
The second vulnerability could allow an attacker to view
arbitrary files. By making a request to the
SSIFilter servlet including the "../"
string, it is possible to escape from the web root and view
any file on the system. JRun 2.3.3 is affected by this
vulnerability.
A third vulnerability could allow an attacker to execute arbitrary commands on the server. In order to exploit this vulnerability, there would need to be an application on the server which writes user input to a file on the server. The attacker would need to be able to guess the location of that file. By putting JSP commands in the input to the application, and then executing the resulting file as a JSP page using the JSP servlet, arbitrary code could be executed on the server. JRun 2.3.3 is affected by this vulnerability.