Back to Advisories

Advisories

Rapid7 Advisory R7-0030: Caucho Resin Multiple Path Disclosure Vulnerabilities

Summary

May 14, 2007 - Caucho Resin for Windows contains two path disclosure vulnerabilities which could be used by an attacker to attain the full system path to Resin's web application directory.

Rapid7 has updated Nexpose to check for this vulnerability. Licensedcustomers will receive the new vulnerability checks automatically. Visit www.rapid7.com to register for a free demo of Nexpose.

Affected system(s):

KNOWN VULNERABLE:

  • Caucho Resin Professional v3.1.0 for Windows
  • Caucho Resin v3.1.0 for Windows
  • Caucho Resin v3.0.21 for Windows
  • Caucho Resin v3.0.20 for Windows
  • Caucho Resin v3.0.19 for Windows
  • Caucho Resin v3.0.18 for Windows
  • Caucho Resin v3.0.17 for Windows

KNOWN FIXED:

  • Caucho Resin v3.1.1 for Windows
  • Caucho Resin Professional v3.1.1 for Windows

Vendor Info

Caucho Technology, Inc.
http://www.caucho.com/

Caucho was notified of this vulnerability on May 3rd, 2007.They fixed this vulnerability in the latest unofficial snapshot of Resin 3.1.1, available from Caucho's Web site.

Solution

Upgrade to Caucho Resin 3.1.1 or later.

Detailed Analysis

Caucho Resin is vulnerable to multiple path disclosure vulnerabilities due to insufficient sanitizing of user-supplied paths while (1) attempting to deploy web applications and (2) attempting to display .xtp files.

  1. A request from any unauthenticated remote user in the form of:
    http://victim:8080/%20
  2. A request from any unauthenticated remote user in the form of:
    http://victim:8080/[webapp]/%20.xtp

In both cases, the full system path to the Caucho Resin server is disclosed due to uncaught java IOExceptions reported to the requesting user.

Credit
Discovered by Derek Abdine of Rapid7.

Disclaimer & Copyright

Rapid7, LLC is not responsible for the misuse of the informationprovided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

This advisory Copyright (C) 2007 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.