This script is Copyright (C) 2004-2011 Tenable Network Security, Inc.
The remote web application server is affected by multiple flaws.
The remote host is running JRun, a J2EE application server running on
top of IIS or Apache. There are multiple flaws in the remote version
of this software :
- The JSESSIONID variable is not implemented securely. An attacker may
use this flaw to guess the session id number of other users. Only
JRun 4.0 is affected.
- There is a code disclosure issue that may allow an attacker to obtain
the contents of a .cfm file by appending '
.cfm' to the file name.
Only the Microsoft IIS connector and JRun 4.0 are affected.
- There is a buffer overflow vulnerability if the server connector is
configured in 'verbose' mode. An attacker may exploit this flaw to
execute arbitrary code on the remote host.
See also :
Apply the appropriate patch / updater referenced in the vendor
Risk factor :
Medium / CVSS Base Score : 5.1
CVSS Temporal Score : 4.4
Public Exploit Available : true