SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Resin Vendors:   Caucho Technology
Resin Web Servlet and Java Engine Discloses JavaBean Contents to Remote Users
SecurityTracker Alert ID:  1001234
SecurityTracker URL:  http://securitytracker.com/id/1001234
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 4 2001
Impact:   Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.2.*, 1.3b1
Description:   The CHINASL Security Team released an advisory for the Resin Web Server, which may disclose Javabean file contents to remote users.

The vulnerability reportedly allows remote users to view Javabean files in "Forbidden" directories.

When using the following type of URL:

http://Resin1.*:8080/WEB-INF/classes/Env.java

The server will return a "403 Forbidden" HTTP error. However, if ".jsp" is inserted before "/WEB-INF/", the Resin server will return the content of Env.java.

It is reported that only files within the app-dir can be retrieved.

Impact:   A remote user can obtain Javabean contents.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.caucho.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000)
Underlying OS Comments:  Windows NT/2000 vulnerable, others possible but not tested

Message History:   None.


 Source Message Contents

Subject:  CHINANSL Security Advisory(CSA-200111)


Topic: Resin 1.2.* & 1.3b1 Javabean file disclosure 
vulnerability 

vulnerable:
=============

winnt/2000(maybe other operating system also)
    +Resin 1.2.*
    +Resin 1.3b1

discussion:
===========

A security vulnerability has been found in Windows 
NT/2000 systems that have Resin 1.2.* or Resin 
1.3b1 installed. The vulnerability allows remote 
attackers to view Javabean file in Forbidden directory.
For example:
http://Resin1.*:8080/WEB-INF/classes/Env.java
The request will be return : 403 Forbidden But if 
inserting ".jsp" before "/WEB-INF/" .Resin server to 
send back the content of Env.java.


Exploits:
==========

http://Resin1.*:8080/.jsp/WEB-INF/classes/Env.java
It is possible to cause the Resin server to send back 
the content of Env.java.Remote Attackers can view 
any known JavaBean file. 

solution:
=========

I can not get any file outside the app-dir. maybe you 
can modify resin.conf. 


DISCLAIMS:
========
THE INFORMATION PROVIDED IS RELEASED BY 
CHINANSL "AS IS" WITHOUT WARRANTY OF 
ANYKIND. CHINANSL DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, 
EXCEPT FOR THE WARRANTIES OF 
MERCHANTABILITY. IN NO EVENTSHALL 
CHINANSL BE LIABLE FOR ANY DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL,CONSEQUENTIAL, LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, 
EVEN IF CHINANSL HAS BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION 
OR REPRODUTION OF THE INFORMATION IS 
PROVIDED THAT THE ADVISORY IS NOT 
MODIFIED IN ANY WAY. 

Copyright 2000-2001 CHINANSL. All Rights 
Reserved. Terms of use. 
CHINANSL Security Team 
lovehacker@chinansl.com
CHINANSL INFORMATION TECHNOLOGY CO.,LTD 
(http://www.chinansl.com)



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC