SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Resin Vendors:   Caucho Technology
Caucho Resin 'HelloServlet' Example Code Discloses Web Directory Path to Remote Users
SecurityTracker Alert ID:  1004630
SecurityTracker URL:  http://securitytracker.com/id/1004630
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 26 2002
Impact:   Disclosure of system information
Exploit Included:  Yes  
Version(s): 2.0.5 - 2.1.2
Description:   A vulnerability was reported in Caucho's Resin web server. A remote user can determine the physical path of the web root directory.

A remote user can request the 'HelloServlet' in the examples directory to determine the installation path of the web root directory. A demonstration exploit URL is provided:

http://target:8080/examples/basic/servlet/HelloServlet

Impact:   A remote user can determine the physical path of the web root directory.
Solution:   No solution was available at the time of this entry.

The author of the report has indicated that you can remove the /examples directory to avoid this problem.

Vendor URL:  www.caucho.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Caucho Resin Path Disclosure



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================
Caucho Resin Path Disclosure

Released: June 24th 2002
====================================


Problem
- -------
While working with Resin, I found that it is possible to disclose the physical path to the webroot.  An attacker may use this information
 in order to gain unauthorized access to the webserver.

If this has already been posted, please disregard this message and send all hate/flame mail to the email address at the end of this
 message.


Risk Level
- ----------
Low


Tested Versions
- -------------------
Resin 2.0.5 - 2.1.2


Details
- -------
By making a request for: http://target:8080/examples/basic/servlet/HelloServlet

Will result in:

Hello, world!
The source of this servlet is in:

C:\Documents and Settings\Administrator\Desktop\share\resin-2.1.1\doc\examples\basic\WEB-INF\classes\HelloServlet.java


Vendor Website
- --------------
http://www.caucho.com


Fix Information
- ---------------
Remove the /examples directory.


Author
- ------
Original Guru
www.security-protocols.com
<admin at security-protocols.com>



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmcEARECACcFAj0X1+wgHHNlY3VyaXR5LXByb3RvY29sc0BodXNobWFpbC5jb20ACgkQ
NAoGe68ymd2jPACeO7sKghRdI1MMyvCuk3tpwtk1pDwAoJkh38d84Gou5GgFht7RihMI
YvD0
=cyn4
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC