From lovehacker@263.NET Tue Apr 3 18:54:43 2001 From: lovehacker To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 3 Apr 2001 10:41:08 -0000 Subject: [BUGTRAQ] CHINANSL Security Advisory(CSA-200111) Topic: Resin 1.2.* & 1.3b1 Javabean file disclosure vulnerability vulnerable: ============= winnt/2000(maybe other operating system also) +Resin 1.2.* +Resin 1.3b1 discussion: =========== A security vulnerability has been found in Windows NT/2000 systems that have Resin 1.2.* or Resin 1.3b1 installed. The vulnerability allows remote attackers to view Javabean file in Forbidden directory. For example: http://Resin1.*:8080/WEB-INF/classes/Env.java The request will be return : 403 Forbidden But if inserting ".jsp" before "/WEB-INF/" .Resin server to send back the content of Env.java. Exploits: ========== http://Resin1.*:8080/.jsp/WEB-INF/classes/Env.java It is possible to cause the Resin server to send back the content of Env.java.Remote Attackers can view any known JavaBean file. solution: ========= I can not get any file outside the app-dir. maybe you can modify resin.conf. DISCLAIMS: ======== THE INFORMATION PROVIDED IS RELEASED BY CHINANSL "AS IS" WITHOUT WARRANTY OF ANYKIND. CHINANSL DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL CHINANSL BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF CHINANSL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 2000-2001 CHINANSL. All Rights Reserved. Terms of use. CHINANSL Security Team lovehacker@chinansl.com CHINANSL INFORMATION TECHNOLOGY CO.,LTD (http://www.chinansl.com)