| VID |
22415 |
| Severity |
30 |
| Port |
8080, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Caucho Resin server is vulnerable to an arbitrary file access vulnerability via the viewfile servlet. Caucho Resin is a servlet and JSP server. Caucho Resin versions 3.0.17 and 3.0.18 for Microsoft Windows platforms could allow a remote attacker to view arbitrary files within the web root directory on the affected host, caused by improper validation of user-supplied input passed to the "contextpath" and "file" parameters in the "viewfile" servlet, which is used for viewing Resin documentation files in the /resin-doc directory. A remote attacker could exploit this vulnerability to obtain the source code for file under the Web root directory.
* References:
http://www.caucho.com/download/changes.xtp
http://www.securityfocus.com/archive/1/434145/30/0/threaded
http://secunia.com/advisories/20125/
* Platforms Affected:
Caucho Technology, Inc., Resin 3.0.17
Caucho Technology, Inc., Resin 3.0.18
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of Caucho Resin (3.0.19 or later), available from the Caucho Technology Download Web site at http://caucho.com/products/resin/download |
| Related URL |
CVE-2006-2437,CVE-2006-2438 (CVE) |
| Related URL |
18007 (SecurityFocus) |
| Related URL |
26494 (ISS) |
|
