Re: KPMG-2002033: Resin DOS device path disclosure

[security-protocols () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Resin 2.1.0 also appears vulnerable mr. peter fundl.

// badpack3t.

On Wed, 17 Jul 2002 11:33:59 +0200, =?iso-8859-1?Q?Peter_Gr=FCndl?= <pgrundl () kpmg dk> wrote:
> --------------------------------------------------------------------
>
> Title: Resin DOS device path disclosure
>
> BUG-ID: 2002033
> Released: 17th Jul 2002
> --------------------------------------------------------------------
>
> Problem:
> ========
> It is possible to disclose the physical path to the webroot. This
> information could be useful to a malicious user wishing to gain
> illegal access to resources on the server.
>
>
> Vulnerable:
> ===========
> - Resin 2.1.1 on Windows 2000 Server
> - Resin 2.1.2 on Windows 2000 Server
>
>
> Not Vulnerable:
> ===============
> - Resin 2.1.s020711 on Windows 2000 Server
>
>
> Details:
> ========
> Requesting certain DOS devices, such as lpt9.xtp, results in an error
> message that contains the physical path to the web root.
>
> 500 Servlet Exception
> java.io.FileNotFoundException: C:\Documents and Settings\Administrator
> \Desktop\resin-2.1.1\resin-2.1.1\doc\aux.xtp
> (Access is denied)
>
>
> Vendor URL:
> ===========
> You can visit the vendor webpage here: http://www.caucho.com
>
>
> Vendor response:
> ================
> The vendor was notified on the 22nd of May, 2002. On the 12th of
> July we verified that the problem was corrected in the latest build
> (s020711).
>
>
> Corrective action:
> ==================
> Upgrade to a newer version. This issue was first resolved in build
> s020711, available here: http://www.caucho.com/download/index.xtp
>
>
> Author: Peter Gründl (pgrundl () kpmg dk)
>
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmcEARECACcFAj01sPsgHHNlY3VyaXR5LXByb3RvY29sc0BodXNobWFpbC5jb20ACgkQ
NAoGe68ymd2tswCfc55pTUjX/iW6VEMiY81SLvt/cfgAmwbd79bNOV4G/ieN9AmY36eW
EPDl
=cSnY
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople