mailing list archives
RESIN ServletExec JSP Source Disclosure Vulnerability(Resin Web Server)
From: benjurry <benjurry () YEAH NET>
Date: Wed, 22 Nov 2000 10:50:45 +0800
flexibility to choose the right language for the task. Resin's leading XSL (XML stylesheet language) support encourages
separation of content from formatting.
Resin provides a standalone web server. It actually serves static pages faster than Apache! The standalone web server
is ideal for evaluation or experimentation and is a good choice as the web server for many sites.
But On Resin1.2.b2(maybe Resin1.1 also)(Win2k Simplify Chinese version),ServletExec will return the source code of JSP
files when a HTTP request is appended with "../"
For example, the following URL will display the source of the specified JSP file:
Successful exploitation could lead to the disclosure of sensitive information contained within JSP pages.
I report this bug to the vendor,and they fix this at Resin1.2,so we can update to Resin1.2
benjurry () 263 net
Share what I konw,Learn what I don't
- RESIN ServletExec JSP Source Disclosure Vulnerability(Resin Web Server) benjurry (Nov 25)