Apparently JRUN authentication (JRUN 3.1, Win NT) can be compromised if you access html files using a different case.
I am using the JRun form based authentication mechanism for protecting access to JSP, html and servlet files.
The URL pattern I use in web.xml is this:
<url-pattern>/Debug/*</url-pattern>
<url-pattern>/Admin/*</url-pattern>
If I access a page like this: /Admin/AdminHome.html, I do get the login form.
If I change the URL to : /admin/AdminHome.html (note 'admin' is using lower case)
the login form does not appear, and I get free access to the page !
I think this is a serious limitation.
How can I protect access to html pages independent of case ?
It does not make sense to have all possible case combinations (like admin, aDmin etc. in the web.xml files. There are too many combinations (2 ** length) and this will also slow down JRun.
JSP files do not show this problem (e.g. /admin/AdminHome.jsp) , simply because JRun throws a nasty error if the case is different from the actual name on disk. I am not sure I like this behaviour, but at least it does not compromise security.
Converting all html files to jsp is not an option for us.
What can I do ?
Thanks in advance for any help.
- Venky
Nortel Networks
[EMAIL PROTECTED]
