| VID |
22236 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
Resin 'view_source.jsp' sample script has a directory traversal vulnerability. Resin, developed by Caucho Technology, is a servlet and Java Server Pages (JSP) engine that supports Java and JavaScript. The 'view_source.jsp' sample script in Resin version 2.1.2 under a Microsoft Windows platform could allow a remote attacker to view contents of arbitrary files on the Web server.
The 'view_source.jsp' script prevents directory traversal via '/../' sequences. However, an attacker attempting directory traversal via '\..\' sequences will succeed. This may allow an attacker to request any files on the vulnerable system readable by the Web server.
* References:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0168.html
* Platforms Affected:
Resin 2.1.2
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of Resin (2.1.11 or later), available from the Caucho Technology Web site at http://caucho.com/products/resin/download
-- OR --
As a workaround, remove the "Examples" folder, if the sample scripts are not needed. |
| Related URL |
CVE-2002-1987 (CVE) |
| Related URL |
5031 (SecurityFocus) |
| Related URL |
9351 (ISS) |
|
