TUCoPS :: Web :: Servers :: web5484.htm

Resin Server path disclosure using sample scripts
26th Jun 2002 [SBWID-5484]
COMMAND

	Resin path disclosure using sample scripts

SYSTEMS AFFECTED

	Resin 2.0.5 - 2.1.2

PROBLEM

	Original  Guru   [http://www.security-protocols.com]   found   following
	regarding Resin [http://www.caucho.com] :
	

	While working with Resin, I found that it is possible  to  disclose  the
	physical path to the webroot. An attacker may use  this  information  in
	order to gain unauthorized access to the webserver.
	

	By making a request for:
	

	

	http://target:8080/examples/basic/servlet/HelloServlet

	

	

	Will result in:
	

	Hello, world! The source of this servlet is in:
	

	

	C:\\Documents and Settings\\Administrator\\Desktop\\share\\resin-2.1.1\\doc\\examples\\basic\\WEB-INF\\classes\\HelloServlet.java

	

	

	

SOLUTION

	Remove the /examples directory.
	

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH