Caucho Technology Resin 1.2/1.3 JavaBean Disclosure Vulnerability

ID EDB-ID:20722
Type exploitdb
Reporter lovehacker
Modified 2001-04-03T00:00:00


Caucho Technology Resin 1.2/1.3 JavaBean Disclosure Vulnerability. CVE-2001-0399. Remote exploits for multiple platform


A specially constructed HTTP request could enable a remote attacker to gain read access to any known JavaBean file residing on a host running Resin.

On Resin webservers, JavaBean files reside in a protected directory, '/WEB-INF/classes/'. Unfortunately, this protection can be bypassed due to an input validation bug in the Resin webserver. If an attacker inserts the substring '.jsp' before the path of the JavaBean in the request, the webserver will incorrectly interpret the request and serve the contents of the requested JavaBean to the client.

An attacker exploiting this may be able to gain sensitive information contained in the JavaBeans.