|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: RESIN ServletExec JSP Source Disclosure Vulnerability(Resin Web Server)
From: benjurry (benjurry
YEAH.NET)Date: Tue Nov 21 2000 - 20:50:45 CST
- Next message: benjurry: "RESIN ServletExec JSP Source Disclosure Vulnerability(IIS 5)"
- Previous message: Ofir Arkin: "Novell Netware Echoing Integrity Bug with ICMP Fragment Reassembly Time Exceeded"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Resintm serves the fastest servlets and JSP. With Java and JavaScript support, Resin gives web applications the flexibility to choose the right language for the task. Resin's leading XSL (XML stylesheet language) support encourages separation of content from formatting.
Resin provides a standalone web server. It actually serves static pages faster than Apache! The standalone web server is ideal for evaluation or experimentation and is a good choice as the web server for many sites.
But On Resin1.2.b2(maybe Resin1.1 also)(Win2k Simplify Chinese version),ServletExec will return the source code of JSP files when a HTTP request is appended with "../"
For example, the following URL will display the source of the specified JSP file:
http://benjurry/benjurry.jsp../
Successful exploitation could lead to the disclosure of sensitive information contained within JSP pages.
Solution:
I report this bug to the vendor,and they fix this at Resin1.2,so we can update to Resin1.2
Benjurry
benjurry263.net
2000.11.22
Share what I konw,Learn what I don't
- Next message: benjurry: "RESIN ServletExec JSP Source Disclosure Vulnerability(IIS 5)"
- Previous message: Ofir Arkin: "Novell Netware Echoing Integrity Bug with ICMP Fragment Reassembly Time Exceeded"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]