[25934] in bugtraq
Caucho Resin Path Disclosure
daemon@ATHENA.MIT.EDU (security-protocols@hushmail.com)
Tue Jun 25 22:17:11 2002
Message-Id: <200206250244.g5P2iZW68383@mailserver2.hushmail.com>
From: security-protocols@hushmail.com
To: bugtraq@securityfocus.com
Date: Mon, 24 Jun 2002 19:44:35 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
====================================
Caucho Resin Path Disclosure
Released: June 24th 2002
====================================
Problem
- -------
While working with Resin, I found that it is possible to disclose the physical path to the webroot. An attacker may use this information in order to gain unauthorized access to the webserver.
If this has already been posted, please disregard this message and send all hate/flame mail to the email address at the end of this message.
Risk Level
- ----------
Low
Tested Versions
- -------------------
Resin 2.0.5 - 2.1.2
Details
- -------
By making a request for: http://target:8080/examples/basic/servlet/HelloServlet
Will result in:
Hello, world!
The source of this servlet is in:
C:\Documents and Settings\Administrator\Desktop\share\resin-2.1.1\doc\examples\basic\WEB-INF\classes\HelloServlet.java
Vendor Website
- --------------
http://www.caucho.com
Fix Information
- ---------------
Remove the /examples directory.
Author
- ------
Original Guru
www.security-protocols.com
<admin at security-protocols.com>
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wmcEARECACcFAj0X1+wgHHNlY3VyaXR5LXByb3RvY29sc0BodXNobWFpbC5jb20ACgkQ
NAoGe68ymd2jPACeO7sKghRdI1MMyvCuk3tpwtk1pDwAoJkh38d84Gou5GgFht7RihMI
YvD0
=cyn4
-----END PGP SIGNATURE-----
Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2
Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
