TUCoPS :: Web :: Servers :: resin1.htm

Resin WebServer break out of web root 
Vulnerability

    Resin Webserver

Affected

    Resin Webserver

Description

    Joe  Testa  found  following.   Resin  1.2.2  is  a  webserver.  A
    vulnerability exists which  allows a remote  user to break  out of
    the web root using relative paths (ie: '..', '...').

    Resin does in fact check  that the requested path lies  within the
    webroot, but by inserting a backslash before any '..' or '...', it
    is possible to defeat the  check.  The following URL  demonstrates
    this vulnerability:

        http://localhost:8080/\../readme.txt

Solution

    A fixed upgrade, 1.2.3, was released and is available at:

        http://www.caucho.com/download/index.xtp

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH