-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Resin 2.1.0 also appears vulnerable mr. peter fundl. // badpack3t. On Wed, 17 Jul 2002 11:33:59 +0200, =?iso-8859-1?Q?Peter_Gr=FCndl?= <pgrundl@kpmg.dk> wrote: >-------------------------------------------------------------------- > >Title: Resin DOS device path disclosure > >BUG-ID: 2002033 >Released: 17th Jul 2002 >-------------------------------------------------------------------- > >Problem: >======== >It is possible to disclose the physical path to the webroot. This >information could be useful to a malicious user wishing to gain >illegal access to resources on the server. > > >Vulnerable: >=========== >- Resin 2.1.1 on Windows 2000 Server >- Resin 2.1.2 on Windows 2000 Server > > >Not Vulnerable: >=============== >- Resin 2.1.s020711 on Windows 2000 Server > > >Details: >======== >Requesting certain DOS devices, such as lpt9.xtp, results in an error >message that contains the physical path to the web root. > >500 Servlet Exception >java.io.FileNotFoundException: C:\Documents and Settings\Administrator >\Desktop\resin-2.1.1\resin-2.1.1\doc\aux.xtp >(Access is denied) > > >Vendor URL: >=========== >You can visit the vendor webpage here: http://www.caucho.com > > >Vendor response: >================ >The vendor was notified on the 22nd of May, 2002. On the 12th of >July we verified that the problem was corrected in the latest build >(s020711). > > >Corrective action: >================== >Upgrade to a newer version. This issue was first resolved in build >s020711, available here: http://www.caucho.com/download/index.xtp > > >Author: Peter Gründl (pgrundl@kpmg.dk) > >-------------------------------------------------------------------- >KPMG is not responsible for the misuse of the information we provide >through our security advisories. These advisories are a service to >the professional security community. In no event shall KPMG be lia- >ble for any consequences whatsoever arising out of or in connection >with the use or spread of this information. >-------------------------------------------------------------------- > > -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmcEARECACcFAj01sPsgHHNlY3VyaXR5LXByb3RvY29sc0BodXNobWFpbC5jb20ACgkQ NAoGe68ymd2tswCfc55pTUjX/iW6VEMiY81SLvt/cfgAmwbd79bNOV4G/ieN9AmY36eW EPDl =cSnY -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
