Caucho Technology Resin 1.2/1.3 JavaBean Disclosure Vulnerability

2001-04-03T00:00:00
ID EDB-ID:20722
Type exploitdb
Reporter lovehacker
Modified 2001-04-03T00:00:00

Description

Caucho Technology Resin 1.2/1.3 JavaBean Disclosure Vulnerability. CVE-2001-0399. Remote exploits for multiple platform

                                        
                                            source: http://www.securityfocus.com/bid/2533/info

A specially constructed HTTP request could enable a remote attacker to gain read access to any known JavaBean file residing on a host running Resin.

On Resin webservers, JavaBean files reside in a protected directory, '/WEB-INF/classes/'. Unfortunately, this protection can be bypassed due to an input validation bug in the Resin webserver. If an attacker inserts the substring '.jsp' before the path of the JavaBean in the request, the webserver will incorrectly interpret the request and serve the contents of the requested JavaBean to the client.

An attacker exploiting this may be able to gain sensitive information contained in the JavaBeans. 

http://target/.jsp/WEB-INF/classes/filename