RE: JRun 4.0 SP1a Error in installing the jrun
This is bug 49237. Typically, the installer runs into this when the default is JVM 1.2.2 (java -version). We've fixed this in JRun but I don't think we did in ColdFusion MX. Make sure the default JVM is something like 1.3.x. Stephen Dupre JRun QA -Original Message- From: Kannaiyan P [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 9:32 PM To: JRun-Talk Subject: JRun 4.0 SP1a Error in installing the jrun Hello, Execute ANT Script: Script: build.xml Status: ERROR Additional Notes: ERROR - build.xml:57: java.io.IOException: Cannot locate antRun script: Property 'ant.home' not found Install Directory:/opt/jrun4/ Status: SUCCESSFUL Additional Notes: NOTE - Directory already existed. i am getting this error when installing the jrun sp1a . Thanks Kannan. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=8 Get the JRun Web Application Construction Kit - the only book written specifically for JRun developers. http://www.amazon.com/exec/obidos/ASIN/0789726009/houseoffusion
JSP security issues
Hi All, I act as administrator on a Redhat 7.1 system running Jrun 3.1 with the Sun JRE. I've spotted some security issues, which I could use some advice on. Firstly, our site specification requires a file upload section. I've just confirmed that it's possible to upload a JSP file, and have its code interpreted by Jrun. Not good at all. 8-( My preferred fix is to have the uploads go into their own directory, which Jrun is configured *not* to execute files from. Does anyone know a way to exclude a sub-tree in this way? I've examined the configuration section of Drew Falkman's book, but can't see anything relevant. The second really relates to the JRE. It will insist on running as user 'root.' Who'd have thought that of Sun? It's not like they are UN*X newbies, after all. I've tried setting the java executable to be suid 'apache,' but then it fails to run due to not finding an essential library. A long search of the Web only brought up files about the need to install as root, nothing about preventing it from running as him. The potential of those two vulnerabilities together is *quite* unnerving. Does anyone know of a solution to either problem? TIA -- David Spacey [EMAIL PROTECTED]
RE: JRun 4.0 SP1a Error in installing the jrun
Hi Stephen, I still have the same problem. I set the path for /usr/j2se/bin . still i have the same issue. you mean i need j2sdk 1.3.1 Version. Please let me know. becoz i did with production i don't know it cause any problem. Thanks kannan. From: Stephen Dupre [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: JRun-Talk [EMAIL PROTECTED] Subject: RE: JRun 4.0 SP1a Error in installing the jrun Date: Mon, 13 Jan 2003 07:46:16 -0500 This is bug 49237. Typically, the installer runs into this when the default is JVM 1.2.2 (java -version). We've fixed this in JRun but I don't think we did in ColdFusion MX. Make sure the default JVM is something like 1.3.x. Stephen Dupre JRun QA -Original Message- From: Kannaiyan P [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 9:32 PM To: JRun-Talk Subject: JRun 4.0 SP1a Error in installing the jrun Hello, Execute ANT Script: Script: build.xml Status: ERROR Additional Notes: ERROR - build.xml:57: java.io.IOException: Cannot locate antRun script: Property 'ant.home' not found Install Directory:/opt/jrun4/ Status: SUCCESSFUL Additional Notes: NOTE - Directory already existed. i am getting this error when installing the jrun sp1a . Thanks Kannan. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=8 Get the JRun Web Application Construction Kit - the only book written specifically for JRun developers. http://www.amazon.com/exec/obidos/ASIN/0789726009/houseoffusion
RE: JSP security issues
Firstly, our site specification requires a file upload section. I've just confirmed that it's possible to upload a JSP file, and have its code interpreted by Jrun. Not good at all. 8-( My preferred fix is to have the uploads go into their own directory, which Jrun is configured *not* to execute files from. Does anyone know a way to exclude a sub-tree in this way? I've examined the configuration section of Drew Falkman's book, but can't see anything relevant. I think this would be a matter of Apache configuration. I'm more familiar with IIS; in IIS, you can disable the use of scripts and/or executables within a single directory from within the IIS management console. I'm very sure you can do the same in Apache, but I'm not 100% sure how you'd do it. I suspect you might do something like this: Directory /var/www/somedirectory Options None /Directory You might want to read the Apache documentation for more details, or a more correct answer. If this works for you, please let me know. The second really relates to the JRE. It will insist on running as user 'root.' Who'd have thought that of Sun? It's not like they are UN*X newbies, after all. I've tried setting the java executable to be suid 'apache,' but then it fails to run due to not finding an essential library. A long search of the Web only brought up files about the need to install as root, nothing about preventing it from running as him. I don't have a clue about that. Sorry. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=8 Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
Re: JSP security issues
The root security issue has been addressed in JRUN 4 -D - Original Message - From: David Spacey [EMAIL PROTECTED] To: JRun-Talk [EMAIL PROTECTED] Sent: Monday, January 13, 2003 7:03 AM Subject: JSP security issues Hi All, I act as administrator on a Redhat 7.1 system running Jrun 3.1 with the Sun JRE. I've spotted some security issues, which I could use some advice on. Firstly, our site specification requires a file upload section. I've just confirmed that it's possible to upload a JSP file, and have its code interpreted by Jrun. Not good at all. 8-( My preferred fix is to have the uploads go into their own directory, which Jrun is configured *not* to execute files from. Does anyone know a way to exclude a sub-tree in this way? I've examined the configuration section of Drew Falkman's book, but can't see anything relevant. The second really relates to the JRE. It will insist on running as user 'root.' Who'd have thought that of Sun? It's not like they are UN*X newbies, after all. I've tried setting the java executable to be suid 'apache,' but then it fails to run due to not finding an essential library. A long search of the Web only brought up files about the need to install as root, nothing about preventing it from running as him. The potential of those two vulnerabilities together is *quite* unnerving. Does anyone know of a solution to either problem? TIA -- David Spacey [EMAIL PROTECTED] ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=8 Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm