Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Resin Vendors:   Caucho Technology
Caucho Resin Web Server Discloses Physical Path of Web Root Directory to Remote Users
SecurityTracker Alert ID:  1004792
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 18 2002
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.1.1, 2.1.2
Description:   KPMG reported an information disclosure vulnerability in Caucho's Resin web server. A remote user can determine the physical path of the web root directory.

A remote user can reportedly request certain DOS devices (e.g., lpt9.xtp) to generate an error message that displays the physical path of the web server root directory.

Impact:   A remote user can determine the physical path of the web root directory.
Solution:   The vendor has reportedly released a fixed version (build s020711), available at:

Vendor URL: (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Confirmed on Windows 2000

Message History:   None.

 Source Message Contents

Subject:  KPMG-2002033: Resin DOS device path disclosure


Title: Resin DOS device path disclosure

BUG-ID: 2002033
Released: 17th Jul 2002

It is possible to disclose the physical path to the webroot. This
information could be useful to a malicious user wishing to gain
illegal access to resources on the server.

- Resin 2.1.1 on Windows 2000 Server
- Resin 2.1.2 on Windows 2000 Server

Not Vulnerable:
- Resin 2.1.s020711 on Windows 2000 Server

Requesting certain DOS devices, such as lpt9.xtp, results in an error
message that contains the physical path to the web root.

500 Servlet Exception C:\Documents and Settings\Administrator
(Access is denied)

Vendor URL:
You can visit the vendor webpage here:

Vendor response:
The vendor was notified on the 22nd of May, 2002. On the 12th of
July we verified that the problem was corrected in the latest build

Corrective action:
Upgrade to a newer version. This issue was first resolved in build
s020711, available here:

KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC