Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: resin2.htm

Resin 1.2.* & 1.3b1 show source vulnerability



Vulnerability

    Resin

Affected

    Resin 1.2.* & 1.3b1

Description

    Following is based on a CHINANSL Security Advisory CSA-200111.   A
    security vulnerability has been  found in Windows NT/2000  systems
    that have Resin 1.2.* or Resin 1.3b1 installed.  The vulnerability
    allows  remote  attackers  to  view  Javabean  file  in  Forbidden
    directory.  For example:

        http://Resin1.*:8080/WEB-INF/classes/Env.java

    The request will be return:

        403 Forbidden

    But if inserting ".jsp"  before "/WEB-INF/" .Resin server  to send
    back the content of Env.java.

    Exploit:

        http://Resin1.*:8080/.jsp/WEB-INF/classes/Env.java

    It is possible to cause the Resin server to send back the  content
    of Env.java.Remote Attackers can view any known JavaBean file.

Solution

    Modify resin.conf.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH