Tom, Thanks for letting everyone on the jrun-talk group know.
Celeste -----Original Message----- From: Tom Duffy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 05, 2001 8:21 AM To: JRun-Talk Subject: security alert, IIS and Jrun vulnerability fyi * DISCLOSURE VULNERABILITY IN ALLAIRE JRUN FOR MICROSOFT IIS A vulnerability exists in Allaire's JRun for Microsoft Internet Information Services (IIS) 5.0 and Internet Information Server (IIS) 4.0 that a remote user can exploit to read any file or directory located within the webroot. By appending the request with "%3f.jsp," an attacker can read the webroot files. The vendor, Allaire, released security bulletin MPSB01-13 to address this vulnerability and recommends that affected users immediately turn off directory browsing of the JRun Default Server for two applications: Default Application and Demo Application. The bulletin lists several other steps that Allaire customers should follow to protect themselves from this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=23372 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
