Caucho Technology Resin Directory Traversal Vulnerability

Bugtraq ID:	2384
Class:	Input Validation Error
CVE:	CVE-2001-0304
Remote:	Yes
Local:	Yes
Published:	Feb 16 2001 12:00AM
Updated:	Mar 19 2015 08:47AM
Credit:	Discovered and posted to Bugtraq on Feb 16, 2001 by [email protected].
Vulnerable:	Caucho Resin 1.2 - Apache Apache 1.3.9 - Microsoft IIS 5.0
Not Vulnerable:	Caucho Resin 1.2.3 - Apache Apache 1.3.9 - Microsoft Windows 2000 Professional

Caucho Technology Resin Directory Traversal Vulnerability

It is possible for a remote user to gain read access to directories and files outside the root directory of a machine running Resin. Requesting a specially crafted URL composed of '/..' or '/...' sequences will disclose an arbitrary directory.

Caucho Technology Resin Directory Traversal Vulnerability

The following example has been provided by [email protected]:

http://target/\../readme.txt

Caucho Technology Resin Directory Traversal Vulnerability

Solution:
Caucho has addressed this issue in Resin 1.2.3:


Caucho Resin 1.2

• Caucho Technology resin-1.2.3.tar.gz
  http://www.caucho.com/download/resin-1.2.3.tar.gz


• Caucho Technology resin-1.2.3.zip
  http://www.caucho.com/download/resin-1.2.3.zip

Caucho Technology Resin Directory Traversal Vulnerability

References:

• Caucho Technology Homepage (Caucho Technology)