Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Caucho Resin Path Disclosure

From: security-protocols () hushmail com
Date: Mon, 24 Jun 2002 19:44:35 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================
Caucho Resin Path Disclosure

Released: June 24th 2002
====================================


Problem
- -------
While working with Resin, I found that it is possible to disclose the physical path to the webroot.  An attacker may 
use this information in order to gain unauthorized access to the webserver.

If this has already been posted, please disregard this message and send all hate/flame mail to the email address at the 
end of this message.


Risk Level
- ----------
Low


Tested Versions
- -------------------
Resin 2.0.5 - 2.1.2


Details
- -------
By making a request for: http://target:8080/examples/basic/servlet/HelloServlet

Will result in:

Hello, world!
The source of this servlet is in:

C:\Documents and Settings\Administrator\Desktop\share\resin-2.1.1\doc\examples\basic\WEB-INF\classes\HelloServlet.java


Vendor Website
- --------------
http://www.caucho.com


Fix Information
- ---------------
Remove the /examples directory.


Author
- ------
Original Guru
www.security-protocols.com
<admin at security-protocols.com>



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmcEARECACcFAj0X1+wgHHNlY3VyaXR5LXByb3RvY29sc0BodXNobWFpbC5jb20ACgkQ
NAoGe68ymd2jPACeO7sKghRdI1MMyvCuk3tpwtk1pDwAoJkh38d84Gou5GgFht7RihMI
YvD0
=cyn4
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
Previous By Date Next
Previous By Thread Next

Current thread: