From pgrundl@kpmg.dk Mon Jun 17 09:17:58 2002 From: "[iso-8859-1] Peter Gründl" To: vulnwatch Date: Mon, 17 Jun 2002 09:19:22 +0200 Subject: [VulnWatch] KPMG-2002020: Resin view_source.jsp Arbitrary File Reading [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- Title: Resin view_source.jsp Arbitrary File Reading BUG-ID: 2002020 Released: 17th Jun 2002 -------------------------------------------------------------------- Problem: ======== In a default installation of Resin server, the examples folder will be installed as well. This folder contains a jsp script that can be used to view arbitrary file contents with the permissions of the web service. Vulnerable: =========== - view_source.jsp from Resin 2.1.2 standalone on Windows 2000 Server Details: ======== The sample script view_source.jsp tries to chroot to the folder where it is located. If you look at the sourcecode, it says: "// Chroot to the current directory so no one can use this as a p // security hold" Attempts to use /../ to break out of the examples folder are also foiled by the script. However, if you replace the /../ with \..\ you can access any file on the drive that Resin has access to. Vendor URL: =========== You can visit the vendor webpage here: http://www.caucho.com Corrective action: ================== Remove the examples folder from your website. Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------