September 24, 2004 -- (WEB HOST INDUSTRY REVIEW) -- According to a advisory from security researcher Secunia (secunia.com) vulnerabilities in Macromedia's JRun Web application server could allow a remote attacker to compromise a machine running the software.
Level 1 PCI DSS Certified Service Provider! DataPipe delivers the best network & support; top tier data centers; New York metro, Silicon Valley, London, Hong Kong, Shanghai. DataPipe - Personal Touch, Global Reach.
The "moderately critical" vulnerabilities, affecting versions 3.0, 3.1 and 4.0, said the advisory, could be exploited to hijack an authenticated user's session, conduct cross-site scripting attacks, disclose sensitive information and initiate a denial of service attack.
Specific vulnerabilities include: an implementation error in the generation of handling of JSESSIONIDs, which can be exploited to hijack a user session; a cross-site scripting and session handling vulnerability in the JRun Management Console, which can be used to execute arbitrary HTML and script code in a user's browser session, or hijack a user's session; a URL parsing error, limited to the Microsoft IIS connector, which can be exploited to show the source of script files and other files; and a boundary error in the verbose logging module that can be used to crash the Web server.
Secunia recommends that users apply patches released by Macromedia.
