The Caucho Resin web application server for Windows contains a
directory traversal vulnerability that allows remote
unauthenticated users to download any file from the system. It is
possible to download files from any drive on the system.
Resin ships with its own standalone web server which runs by default on
port 8080. Any remote user can request URLs of the form:
to access the root of the C: drive (and any files below it). Any
drive letter can be specified. Only Resin on Windows is vulnerable.
This vulnerability appears to have been introduced in Resin
version 3.0.17, although this has not been confirmed by the vendor.