SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Resin Vendors:   Caucho Technology
Resin Input Validation Flaw in Documentation Viewer Lets Remote Users Traverse the Web Root Directory
SecurityTracker Alert ID:  1016110
SecurityTracker URL:  http://securitytracker.com/id/1016110
CVE Reference:   CVE-2006-2438   (Links to External Site)
Updated:  Sep 1 2009
Original Entry Date:  May 16 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0.17, 3.0.18
Description:   A vulnerability was reported in Caucho Resin. A remote user can view files on the target system.

The Resin documentation viewfile servlet does not properly validate user-supplied input. A remote user can supply a URL with a specially crafted 'contextpath' parameter to view files outside of the 'resin-doc' directory but within the web root directory.

A remote user can exploit this to, for example, view class files.

A demonstration exploit URL is provided:

http://[target]/resin-doc/viewfile/?contextpath=/&servletpath=&file=WEB-
INF/classes/com/webapp/app/target.class

A remote user can also supply a non-existent path to cause the server to disclose the installation path.

Systems that use the standard 'resin.conf' configuration file and Resin directory structure for configuring the application are affected.

The vendor was notified on May 5, 2006.

ScanAlert's Security and Enterprise Services Teams discovered this vulnerability.

Impact:   A remote user can view all files within the web root directory on the target system.
Solution:   The vendor has issued a fixed version (3.0.19), available at:

http://www.caucho.com/download/index.xtp

The report indicates that you can also remove the resin-doc.war file from all production systems and that you should not deploy using default configuration files.

Vendor URL:  www.caucho.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 16 May 2006 09:19:15 -0700
Subject:  ScanAlert Security Advisory

ScanAlert Security Advisory
http://www.scanalert.com

Caucho Resin Multiple Vulnerabilities - Arbitrary File Access & Information
Disclosure

Date: 5/16/06
Vendor: Caucho
Package: Resin
Version: 3.0.17 and 3.0.18 – Vendor Confirmed
Credit: ScanAlert’s Security and Enterprise Services Teams.

Risk:
Common Vulnerability Scoring System (CVSS) -
http://www.first.org/cvss/intro/
 
Related Exploit Range: Remote
Attack Complexity: Low 
Level Of Authentication Needed: Not Required  
Confidentiality Impact: Partial 
Integrity Impact: Partial 
Availability Impact: None

Overview

Caucho Resin is a high performance, Sun certified J2EE server featuring load
balancing for increased reliability. Resin is well known for its flexibility
and ease of use, saving both engineering time and staff costs. 

Vulnerabilities

Resin contains documentation that is available in the /webapps directory and
is an expanded war file available at /resin-doc by default when using the
standard resin.conf and Resin directory structure for configuring the
application. 

This documentation contains a servlet for viewing files within the
integrated tutorial:

http://targetsystem/resin-doc/viewfile/?contextpath=%2Fresin-doc%2Fjmx%2Ftut
orial%2Fbasic&servletpath=%2Findex.xtp&file=index.jsp&re-marker=&re-start=&r
e-end=#code-highlight

The viewfile servlet can easily read any file within the web root with no
parameters:

http://targetsystem/resin-doc/viewfile/?file=index.jsp

It is possible to set the context path outside of the resin-doc and read any
file on alternate web roots:

http://targetsystem/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath
=&file=WEB-INF/web.xml

When resin-doc is installed on a system it is possible to read all files
contained within the web root including class files which can then be
decompiled to view the Java source:

http://targetsystem/resin-doc/viewfile/?contextpath=/&servletpath=&file=WEB-
INF/classes/com/webapp/app/target.class

An incorrect path in the request will reveal the absolute installation path:

File not found
/C:/customer/sites/deploy/n/wwwroot/WEB-INF/classes/com/webapp/app/non-exist
ant.class

Solution: 

Remove the resin-doc.war file from all production systems and do not deploy
using default configuration files. Upgrade to version 3.0.19 or better.

Resolution Timeline:

Vendor Notification: May 5, 2006
Vendor Response: May 9, 2006
Vendor Fix: May 15, 2006
Coordinated public release of advisory: May 16, 2006
----------------------------------------------------------------------------
--------------------------

ScanAlert's mission is to make the web safe from hackers.

We make web sites secure from hackers and certify it to their customers via
our patent pending HACKER SAFE® security certification technology. Our daily
security audits and real-time certification enables consumers to know
whether the sites where they shop are taking the necessary steps to
safeguard their personal information from hackers. By alleviating consumers'
fears of identity theft and credit card fraud, online merchants who earn
HACKER SAFE certification consistently see substantial increases in online
transactions

For additional information regarding ScanAlert and the Hacker Safe program
please contact:

Joseph Pierini, CISSP | Director, Enterprise Services
ScanAlert ( www.scanalert.com)
860 Napa Valley Corporate Way
Suite R
Napa, CA 94558
Phone: 877 302-9965 
Int'l: 707 224-7656 
Fax: 707 252-9626
Email: joep@scanalert.com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC