Back to Advisories


Rapid7 Advisory R7-0029: Caucho Resin Web Application Directory Traversal


May 14, 2007 - The Caucho Resin web application server for Windows contains a directory traversal vulnerability that allows remote unauthenticated users to download files from a web application's hidden "WEB-INF" directory. This directory typically contains sensitive server configuration files and compiled java source code.

Rapid7 have updated Nexpose to check for this vulnerability. Licensed customers will receive the new vulnerability checks automatically. Visit to register for a free demo of Nexpose.

Affected system(s):


  • Caucho Resin Professional v3.1.0 for Windows
  • Caucho Resin v3.1.0 for Windows
  • Caucho Resin v3.0.21 for Windows
  • Caucho Resin v3.0.20 for Windows
  • Caucho Resin v3.0.19 for Windows
  • Caucho Resin v3.0.18 for Windows
  • Caucho Resin v3.0.17 for Windows


  • Caucho Resin v3.1.1 for Windows
  • Caucho Resin Professional v3.1.1 for Windows

Vendor Info

Caucho Technology, Inc.

Caucho was notified of this vulnerability on May 3rd, 2007.They fixed this vulnerability in the latest unofficial snapshot of Resin 3.1.1, available from Caucho's Web site.


Upgrade to Caucho Resin 3.1.1 or later.

Detailed Analysis

Caucho Resin is a servlet and JSP server. Resin ships with its own stand-alone web server which runs by default on port 8080. Any remote user can request URLs of the form:


to access the web-inf directory of the corresponding web application. Any known sub directory may also be specified.

Discovered by Derek Abdine of Rapid7.

Disclaimer & Copyright

Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

This advisory Copyright (C) 2007 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.