Caucho Resin Multiple Information Disclosure Vulnerabilities
BID:23985
Info
Caucho Resin Multiple Information Disclosure Vulnerabilities
| Bugtraq ID: | 23985 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-2441 CVE-2007-2440 |
| Remote: | Yes |
| Local: | No |
| Published: | May 15 2007 12:00AM |
| Updated: | Jul 06 2016 02:39PM |
| Credit: | Derek Abdine of Rapid7 is credited with the discoveries of these issues. |
| Vulnerable: |
Caucho Technology Resin Professional 3.1 Caucho Technology Resin 3.1 |
| Not Vulnerable: |
Caucho Technology Resin Professional 3.1.1 Caucho Technology Resin 3.1.1 |
Discussion
Caucho Resin Multiple Information Disclosure Vulnerabilities
Caucho Resin is prone to multiple information-disclosure vulnerabilities because it fails to adequately sanitize user-supplied data.
Attackers can exploit these issues to access potentially sensitive data that may aid in further attacks.
Resin 3.1.0 is vulnerable; other versions may also be affected.
NOTE: According to the application's 3.1.1 change log, these issues affect the server only when installed on Microsoft Windows.
Caucho Resin is prone to multiple information-disclosure vulnerabilities because it fails to adequately sanitize user-supplied data.
Attackers can exploit these issues to access potentially sensitive data that may aid in further attacks.
Resin 3.1.0 is vulnerable; other versions may also be affected.
NOTE: According to the application's 3.1.1 change log, these issues affect the server only when installed on Microsoft Windows.
Exploit / POC
Caucho Resin Multiple Information Disclosure Vulnerabilities
Attackers can use a browser to exploit this issue.
The following example URIs are available:
http://www.example.com:8080/[path]/[device].[extension]
http://www.example.com:8080/%20..\web-inf
http://www.example.com:8080/%20
http://www.example.com:8080/[path]/%20.xtp
Attackers can use a browser to exploit this issue.
The following example URIs are available:
http://www.example.com:8080/[path]/[device].[extension]
http://www.example.com:8080/%20..\web-inf
http://www.example.com:8080/%20
http://www.example.com:8080/[path]/%20.xtp
Solution / Fix
Caucho Resin Multiple Information Disclosure Vulnerabilities
Solution:
The vendor has released version 3.1.1, which addresses these issues. Please see the references for more information.
Caucho Resin Professional 3.1
Caucho Resin 3.1
Solution:
The vendor has released version 3.1.1, which addresses these issues. Please see the references for more information.
Caucho Resin Professional 3.1
-
Caucho Technology resin-pro-3.1.1.tar.gz
http://www.caucho.com/download/resin-pro-3.1.1.tar.gz
Caucho Resin 3.1
-
Caucho Technology resin-3.1.1.tar.gz
http://www.caucho.com/download/resin-3.1.1.tar.gz
References
Caucho Resin Multiple Information Disclosure Vulnerabilities
References:
References:
- Caucho Technology Homepage (Caucho Technology)
- Resin Change Log (Caucho Technology)