Bugtraq mailing list archives
Vulnerability in Resin Webserver
From: joetesta () HUSHMAIL COM
Date: Thu, 15 Feb 2001 20:47:02 -0800
----- Begin Hush Signed Message from joetesta () hushmail com ----- Vulnerability in Resin Webserver Overview Resin 1.2.2 is a webserver available from http://www.caucho.com and http://java.tucows.com. A vulnerability exists which allows a remote user to break out of the web root using relative paths (ie: '..', '...'). Details Resin does in fact check that the requested path lies within the webroot, but by inserting a backslash before any '..' or '...', it is possible to defeat the check. The following URL demonstrates this vulnerability: http://localhost:8080/\../readme.txt Solution A fixed upgrade, 1.2.3, was released and is available at: http://www.caucho.com/download/index.xtp Vendor Status Caucho Technology, Inc was notified via <resin () caucho com> and <ferg () caucho com> on Sunday, January 28, 2001. I would like to congratulate Caucho for being the first cooperative vendor I have ever dealt with. - Joe Testa ( e-mail: joetesta () hushmail com / AIM: LordSpankatron ) ----- Begin Hush Signature v1.3 ----- An0eed7ic2H8Vtwjs3cQulZsm6R8EEwEMFlftmkdq+W6lBV+uEITb9LSwXnLtJGWUwaH ATRTVglHrpuXliZsKdOLkr1V6e+DpfmUpi0EgNnYn0watuvzd1nPfwW7QSXInSdMWuBu KRoEXT3jn3WE4kdyDvbbZ6i8jsN7+mYuSs3JCgELd3t/kumhSfQa7JyxRkO9JUUiJo0q NWSvr5rI60ioW/xv7SS5SGd/Fi9LYKmAPGNRNk86EfTXJsSF5BaogliJT1BvjdOh5Spn Zrng815s3CZweudPh+I7DLmddZefRqpCV6fyp/juittDhpZ9y7WZpy6Ea4LtPfpo07jk tSHqUg2R4cCRJBwj8M+pRGVmfYK1Zhli7AivtznD62DfxEv5abHrPMGwlNabpAc7NHBc 8f7eHUFFTkR0Eb3YAk5y4e+PREaQ6jEbUKS6yIf29Xh6+iZybGssClim0d8SO/2xG5dL tE1WgFJgv1Jd7p+iuXhVu4T65DMhYFi2FluHFYB2g6Gg ----- End Hush Signature v1.3 ----- \n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n
Current thread:
- Vulnerability in Resin Webserver joetesta (Feb 15)