CVE 2000-1050
The first vulnerability could allow an attacker to view
arbitrary files or directories that are supposed to be hidden,
such as the WEB-INF directory.
This is accomplished by sending a malformed request which
includes an extraneous slash character before the directory
name. JRun 3.0 and 3.0 SP1 are vulnerable to this attack.
CVE 2000-1051
The second vulnerability could allow an attacker to view
arbitrary files. By making a request to the
SSIFilter servlet including the "../"
string, it is possible to escape from the web root and view
any file on the system. JRun 2.3.3 is affected by this
vulnerability.
A third vulnerability could allow an attacker to execute arbitrary commands on the server. In order to exploit this vulnerability, there would need to be an application on the server which writes user input to a file on the server. The attacker would need to be able to guess the location of that file. By putting JSP commands in the input to the application, and then executing the resulting file as a JSP page using the JSP servlet, arbitrary code could be executed on the server. JRun 2.3.3 is affected by this vulnerability.