SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Resin Vendors:   Caucho Technology
Resin Web Server Discloses Files on the System to Remote Users and Allows Remote Users to Crash the Server
SecurityTracker Alert ID:  1004552
SecurityTracker URL:  http://securitytracker.com/id/1004552
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 17 2002
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.1.1, 2.1.2
Description:   KPMG reported several vulnerabilities in the Resin web server. A remote user can view files on the system that are located outside of the web root directory. A remote user can also cause the web service and possibly the entire server to crash.

In a default installation, the view_source.jsp script is reportedly installed as part of the examples folder. This script contains a bug that allows remote users to view arbitrary files that are on the same partition (drive) as the web server and that are readable by the web service. The script reportedly fails to filter the '\..\' directory traversal string from user-supplied URL requests.

A remote user can also reportedly define large variables while accessing non-existent resources to cause the web server to consume all available memory on the server. This may cause components of the web server or the entire server to crash.

A remote user can also request the DOS device 'con' with a registered extension (e.g., '.jsp', '.xtp') to tie up a working thread. If the remote user repeats this request approximately 150 times, the web service will reportedly crash.

Impact:   A remote user can view files located outside of the web root directory if the files are on the same partition (drive) as the web server and are readable by the web server. A remote user can cause the web service to crash and may be able to cause the entire system to crash.
Solution:   The vendor has released a fixed version (2.1.2) to correct the denial of service vulnerabilities, available at:

http://www.caucho.com/download/

To correct the file viewing vulnerability, remove view_source.jsp from the examples directory.

Vendor URL:  www.caucho.com/ (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error, Resource error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  KPMG-2002022: Resin DOS device Denial of Service



--------------------------------------------------------------------

Title: Resin view_source.jsp Arbitrary File Reading

BUG-ID: 2002020
Released: 17th Jun 2002
--------------------------------------------------------------------

Problem:
========
In a default installation of Resin server, the examples folder will
be installed as well. This folder contains a jsp script that can be
used to view arbitrary file contents with the permissions of the
web service.


Vulnerable:
===========
- view_source.jsp from Resin 2.1.2 standalone on Windows 2000 Server


Details:
========
The sample script view_source.jsp tries to chroot to the folder
where it is located. If you look at the sourcecode, it says:

"// Chroot to the current directory so no one can use this as a p
 // security hold"

Attempts to use /../ to break out of the examples folder are also
foiled by the script. However, if you replace the /../ with \..\
you can access any file on the drive that Resin has access to.


Vendor URL:
===========
You can visit the vendor webpage here: http://www.caucho.com


Corrective action:
==================
Remove the examples folder from your website.




--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------



--------------------------------------------------------------------

Title: Resin Large Parameter Denial of Service

BUG-ID: 2002021
Released: 17th Jun 2002
--------------------------------------------------------------------

Problem:
========
It is possible for a malicious user to cause a Denial of Service
by requesting certain malformed URLs from the Resin web server.


Vulnerable:
===========
- Resin 2.1.1 standalone on Windows 2000 Server


Not Vulnerable:
===============
- Resin 2.1.2 standalone on Windows 2000 Server


Details:
========
By defining large variables when accessing non-existant ressources,
it is possible to consume the entire workspace on the server. This
will result in hanging parts of or the entire web server.


Vendor URL:
===========
You can visit the vendor webpage here: http://www.caucho.com


Vendor Response:
================
This was reported to the vendor on the 22nd of May, 2002. On the 11th
of June, 2002 the vendor released a new version that corrects the
issue.


Corrective action:
==================
Upgrade to version 2.1.2 available from:
http://www.caucho.com/download/



--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------





--------------------------------------------------------------------

Title: Resin DOS device Denial of Service

BUG-ID: 2002022
Released: 17th Jun 2002
--------------------------------------------------------------------

Problem:
========
It is possible for a malicious user to cause a Denial of Service
by requesting certain malformed URLs from the Resin web server.


Vulnerable:
===========
- Resin 2.1.1 standalone on Windows 2000 Server


Not Vulnerable:
===============
- Resin 2.1.2 standalone on Windows 2000 Server


Details:
========
Requesting the DOS device "con" with a registered extension (eg. .jsp
or .xtp) will tie up a working thread. If a malicious user requests
about 150 of these, the web server will no longer service http
requests.


Vendor URL:
===========
You can visit the vendor webpage here: http://www.caucho.com


Vendor Response:
================
This was reported to the vendor on the 23rd of May, 2002. On the 28th
of May, 2002 the vendor released a new snapshot (beta) that corrected
the issue. On the 11th of June, 2002 the vendor released a new version
that corrects the issue.


Corrective action:
==================
Upgrade to version 2.1.2 available from:
http://www.caucho.com/download/



--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC