Resin Web Servlet and Java Engine Allows Unauthorized Access to Directories and Files Outside of the Web Root Directory
SecurityTracker Alert ID: 1000942|
SecurityTracker URL: http://securitytracker.com/id/1000942
(Links to External Site)
Date: Feb 16 2001
Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Resin 1.2.2|
A vulnerability has been reported in Resin 1.2.2 that allows a remote user to view server directory listings and files outside of the web root using relative paths (e.g., '..', '...'). Resin is a servlet and JSP engine that works with many popular web servers.|
According to the report, Resin does perform a check that the requested path lies within the webroot. However, by inserting a backslash before any '..' or '...', it is possible to defeat the check.
The following URL demonstrates this vulnerability:
The vulnerability allows a remote attacker to view directory listings and files that lie outside of the web root directory.|
The vendor has released an upgrade, 1.2.3. For more information, see: http://www.caucho.com/download/index.xtp|
Vendor URL: www.caucho.com (Links to External Site)
Input validation error|
|Underlying OS: UNIX (Any)|
Source Message Contents
Subject: Vulnerability in Resin Webserver|
----- Begin Hush Signed Message from email@example.com -----
Vulnerability in Resin Webserver
Resin 1.2.2 is a webserver available from http://www.caucho.com and
http://java.tucows.com. A vulnerability exists which allows a remote
user to break out of the web root using relative paths (ie: '..', '...').
Resin does in fact check that the requested path lies within the webroot,
but by inserting a backslash before any '..' or '...', it is possible
to defeat the check. The following URL demonstrates this vulnerability:
A fixed upgrade, 1.2.3, was released and is available at:
Caucho Technology, Inc was notified via <firstname.lastname@example.org> and
<email@example.com> on Sunday, January 28, 2001. I would like to congratulate
Caucho for being the first cooperative vendor I have ever dealt with.
- Joe Testa ( e-mail: firstname.lastname@example.org / AIM: LordSpankatron )
----- Begin Hush Signature v1.3 -----
----- End Hush Signature v1.3 -----
\n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your
open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.