-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================== Caucho Resin Path Disclosure Released: June 24th 2002 ==================================== Problem - ------- While working with Resin, I found that it is possible to disclose the physical path to the webroot. An attacker may use this information in order to gain unauthorized access to the webserver. If this has already been posted, please disregard this message and send all hate/flame mail to the email address at the end of this message. Risk Level - ---------- Low Tested Versions - ------------------- Resin 2.0.5 - 2.1.2 Details - ------- By making a request for: http://target:8080/examples/basic/servlet/HelloServlet Will result in: Hello, world! The source of this servlet is in: C:\Documents and Settings\Administrator\Desktop\share\resin-2.1.1\doc\examples\basic\WEB-INF\classes\HelloServlet.java Vendor Website - -------------- http://www.caucho.com Fix Information - --------------- Remove the /examples directory. Author - ------ Original Guru www.security-protocols.com <admin at security-protocols.com> -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmcEARECACcFAj0X1+wgHHNlY3VyaXR5LXByb3RvY29sc0BodXNobWFpbC5jb20ACgkQ NAoGe68ymd2jPACeO7sKghRdI1MMyvCuk3tpwtk1pDwAoJkh38d84Gou5GgFht7RihMI YvD0 =cyn4 -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 19:20:24 PDT