-------------------------------------------------------------------- Title: Resin view_source.jsp Arbitrary File Reading BUG-ID: 2002020 Released: 17th Jun 2002 -------------------------------------------------------------------- Problem: ======== In a default installation of Resin server, the examples folder will be installed as well. This folder contains a jsp script that can be used to view arbitrary file contents with the permissions of the web service. Vulnerable: =========== - view_source.jsp from Resin 2.1.2 standalone on Windows 2000 Server Details: ======== The sample script view_source.jsp tries to chroot to the folder where it is located. If you look at the sourcecode, it says: "// Chroot to the current directory so no one can use this as a p // security hold" Attempts to use /../ to break out of the examples folder are also foiled by the script. However, if you replace the /../ with \..\ you can access any file on the drive that Resin has access to. Vendor URL: =========== You can visit the vendor webpage here: http://www.caucho.com Corrective action: ================== Remove the examples folder from your website. Author: Peter Gründl (pgrundlat_private) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 08:09:31 PDT