Rapid7 Vulnerability & Exploit Database

Caucho Resin Windows Directory Traversal Vulnerability

Back to Search

Caucho Resin Windows Directory Traversal Vulnerability

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
05/16/2006
Created
07/25/2018
Added
05/16/2006
Modified
02/13/2015

Description

The Caucho Resin web application server for Windows contains a directory traversal vulnerability that allows remote unauthenticated users to download any file from the system. It is possible to download files from any drive on the system.

Resin ships with its own standalone web server which runs by default on port 8080. Any remote user can request URLs of the form:

http://victim:8080/C:%5C/

to access the root of the C: drive (and any files below it). Any drive letter can be specified. Only Resin on Windows is vulnerable. This vulnerability appears to have been introduced in Resin version 3.0.17, although this has not been confirmed by the vendor.

Solution(s)

  • upgrade-caucho-resin-3_0_19

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;