[19249] in bugtraq
Vulnerability in Resin Webserver
daemon@ATHENA.MIT.EDU (joetesta@HUSHMAIL.COM)
Thu Feb 15 21:54:04 2001
Content-Type: multipart/mixed;
boundary="Hushpart_boundary_qeymWlyPOnLcSwAjTdEqQFEzMzjXCIOi"
Mime-Version: 1.0
Message-Id: <200102160143.RAA13542@user7.hushmail.com>
Date: Thu, 15 Feb 2001 20:47:02 -0800
Reply-To: joetesta@HUSHMAIL.COM
From: joetesta@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--Hushpart_boundary_qeymWlyPOnLcSwAjTdEqQFEzMzjXCIOi
Content-type: text/plain
----- Begin Hush Signed Message from joetesta@hushmail.com -----
Vulnerability in Resin Webserver
Overview
Resin 1.2.2 is a webserver available from http://www.caucho.com and
http://java.tucows.com. A vulnerability exists which allows a remote
user to break out of the web root using relative paths (ie: '..', '...').
Details
Resin does in fact check that the requested path lies within the webroot,
but by inserting a backslash before any '..' or '...', it is possible
to defeat the check. The following URL demonstrates this vulnerability:
http://localhost:8080/\../readme.txt
Solution
A fixed upgrade, 1.2.3, was released and is available at:
http://www.caucho.com/download/index.xtp
Vendor Status
Caucho Technology, Inc was notified via <resin@caucho.com> and
<ferg@caucho.com> on Sunday, January 28, 2001. I would like to congratulate
Caucho for being the first cooperative vendor I have ever dealt with.
- Joe Testa ( e-mail: joetesta@hushmail.com / AIM: LordSpankatron )
----- Begin Hush Signature v1.3 -----
An0eed7ic2H8Vtwjs3cQulZsm6R8EEwEMFlftmkdq+W6lBV+uEITb9LSwXnLtJGWUwaH
ATRTVglHrpuXliZsKdOLkr1V6e+DpfmUpi0EgNnYn0watuvzd1nPfwW7QSXInSdMWuBu
KRoEXT3jn3WE4kdyDvbbZ6i8jsN7+mYuSs3JCgELd3t/kumhSfQa7JyxRkO9JUUiJo0q
NWSvr5rI60ioW/xv7SS5SGd/Fi9LYKmAPGNRNk86EfTXJsSF5BaogliJT1BvjdOh5Spn
Zrng815s3CZweudPh+I7DLmddZefRqpCV6fyp/juittDhpZ9y7WZpy6Ea4LtPfpo07jk
tSHqUg2R4cCRJBwj8M+pRGVmfYK1Zhli7AivtznD62DfxEv5abHrPMGwlNabpAc7NHBc
8f7eHUFFTkR0Eb3YAk5y4e+PREaQ6jEbUKS6yIf29Xh6+iZybGssClim0d8SO/2xG5dL
tE1WgFJgv1Jd7p+iuXhVu4T65DMhYFi2FluHFYB2g6Gg
----- End Hush Signature v1.3 -----
\n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n
--Hushpart_boundary_qeymWlyPOnLcSwAjTdEqQFEzMzjXCIOi--
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
