[NT] Resin view_source.jsp Arbitrary File Reading

From: support@securiteam.com
Date: 06/17/02


From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 17 Jun 2002 20:39:47 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Resin view_source.jsp Arbitrary File Reading
------------------------------------------------------------------------

SUMMARY

In a default installation of <http://www.caucho.com/> Resin server, the
examples folder will be installed as well. This folder contains a JSP
script that can be used to view arbitrary file contents with the
permissions of the web service.

DETAILS

Vulnerable systems:
 * view_source.jsp from Resin 2.1.2 standalone on Windows 2000 Server

The sample script view_source.jsp tries to chroot to the folder where it
is located. If you look at the source code, it says:

"// Chroot to the current directory so no one can use this as a p
  // security hold"

Attempts to use /../ to break out of the examples folder are also foiled
by the script. However, if you replace the /../ with \..\ you can access
any file on the drive that Resin has access to.

Corrective action:
Remove the examples folder from your website.

ADDITIONAL INFORMATION

The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: << Small Bus Server news of the week>>
    ... > will pick up the mail that is in the Incoming Mail folder. ... > A Chinese security group has released sample ... > Cyber law expert Pavan Duggal feels India's ... > A California blood bank has retrieved a stolen ...
    (microsoft.public.backoffice.smallbiz)
  • Re: << Small Bus Server news of the week>>
    ... > will pick up the mail that is in the Incoming Mail folder. ... > A Chinese security group has released sample ... > Cyber law expert Pavan Duggal feels India's ... > A California blood bank has retrieved a stolen ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: << Small Bus Server news of the week>>
    ... > will pick up the mail that is in the Incoming Mail folder. ... > A Chinese security group has released sample ... > Cyber law expert Pavan Duggal feels India's ... > A California blood bank has retrieved a stolen ...
    (microsoft.public.windows.server.sbs)
  • << Small Bus Server news of the week>>
    ... The POP3 Connector service connects and logs on to the remote POP3 ... will pick up the mail that is in the Incoming Mail folder. ... A Chinese security group has released sample ... A California blood bank has retrieved a stolen ...
    (microsoft.public.backoffice.smallbiz2000)
  • << Small Bus Server news of the week>>
    ... The POP3 Connector service connects and logs on to the remote POP3 ... will pick up the mail that is in the Incoming Mail folder. ... A Chinese security group has released sample ... A California blood bank has retrieved a stolen ...
    (microsoft.public.windows.server.sbs)