| VID |
22054 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Resin reveals the physical path of the webroot by requesting for certain DOS device.
Resin, developed by Caucho Technology, is a servlet and JavaServer Pages (JSP) engine that supports Java and JavaScript.
Resin results in an error message that contains the full path to the webroot directory to remote attackers when certain MS-DOS device names, such as lpt9.xtp, are requested.
500 Servlet Exception
java.io.FileNotFoundException: C:\Documents and Settings\Administrator\Desktop\resin-2.1.1\resin-2.1.1\doc\aux.xtp
(Access is denied)
This information could be useful to a malicious user wishing to gain further knowledge about the remote filesystem layout, and to gain illegal access to resources on the server.
* Platforms Affected:
Resin 2.1.1 on Windows 2000 Server
Resin 2.1.2 on Windows 2000 Server |
| Recommendation |
Upgrade to a newer version(2.1.2 build s020711 or later) from:
http://caucho.com/products/resin/download |
| Related URL |
CVE-2002-2090 (CVE) |
| Related URL |
5252 (SecurityFocus) |
| Related URL |
9590 (ISS) |
|
