--------------------------------------------------------------------
Title: Resin DOS device path disclosure
BUG-ID: 2002033
Released: 17th Jul 2002
--------------------------------------------------------------------
Problem:
========
It is possible to disclose the physical path to the webroot. This
information could be useful to a malicious user wishing to gain
illegal access to resources on the server.
Vulnerable:
===========
- Resin 2.1.1 on Windows 2000 Server
- Resin 2.1.2 on Windows 2000 Server
Not Vulnerable:
===============
- Resin 2.1.s020711 on Windows 2000 Server
Details:
========
Requesting certain DOS devices, such as lpt9.xtp, results in an error
message that contains the physical path to the web root.
500 Servlet Exception
java.io.FileNotFoundException: C:\Documents and Settings\Administrator
\Desktop\resin-2.1.1\resin-2.1.1\doc\aux.xtp
(Access is denied)
Vendor URL:
===========
You can visit the vendor webpage here: http://www.caucho.com
Vendor response:
================
The vendor was notified on the 22nd of May, 2002. On the 12th of
July we verified that the problem was corrected in the latest build
(s020711).
Corrective action:
==================
Upgrade to a newer version. This issue was first resolved in build
s020711, available here: http://www.caucho.com/download/index.xtp
Author: Peter Gründl (pgrundl@kpmg.dk)
--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------
Title: Resin DOS device path disclosure
BUG-ID: 2002033
Released: 17th Jul 2002
--------------------------------------------------------------------
Problem:
========
It is possible to disclose the physical path to the webroot. This
information could be useful to a malicious user wishing to gain
illegal access to resources on the server.
Vulnerable:
===========
- Resin 2.1.1 on Windows 2000 Server
- Resin 2.1.2 on Windows 2000 Server
Not Vulnerable:
===============
- Resin 2.1.s020711 on Windows 2000 Server
Details:
========
Requesting certain DOS devices, such as lpt9.xtp, results in an error
message that contains the physical path to the web root.
500 Servlet Exception
java.io.FileNotFoundException: C:\Documents and Settings\Administrator
\Desktop\resin-2.1.1\resin-2.1.1\doc\aux.xtp
(Access is denied)
Vendor URL:
===========
You can visit the vendor webpage here: http://www.caucho.com
Vendor response:
================
The vendor was notified on the 22nd of May, 2002. On the 12th of
July we verified that the problem was corrected in the latest build
(s020711).
Corrective action:
==================
Upgrade to a newer version. This issue was first resolved in build
s020711, available here: http://www.caucho.com/download/index.xtp
Author: Peter Gründl (pgrundl@kpmg.dk)
--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------