Home page logo

fulldisclosure logo Full Disclosure mailing list archives

KPMG-2002033: Resin DOS device path disclosure
From: full-disclosure () lists netsys com (Peter Gründl)
Date: Wed, 17 Jul 2002 11:34:02 +0200


Title: Resin DOS device path disclosure

BUG-ID: 2002033
Released: 17th Jul 2002

It is possible to disclose the physical path to the webroot. This
information could be useful to a malicious user wishing to gain
illegal access to resources on the server.

- Resin 2.1.1 on Windows 2000 Server
- Resin 2.1.2 on Windows 2000 Server

Not Vulnerable:
- Resin 2.1.s020711 on Windows 2000 Server

Requesting certain DOS devices, such as lpt9.xtp, results in an error
message that contains the physical path to the web root.

500 Servlet Exception
java.io.FileNotFoundException: C:\Documents and Settings\Administrator
(Access is denied)

Vendor URL:
You can visit the vendor webpage here: http://www.caucho.com

Vendor response:
The vendor was notified on the 22nd of May, 2002. On the 12th of
July we verified that the problem was corrected in the latest build

Corrective action:
Upgrade to a newer version. This issue was first resolved in build
s020711, available here: http://www.caucho.com/download/index.xtp

Author: Peter Gründl (pgrundl () kpmg dk)

KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.

  By Date           By Thread  

Current thread:
  • KPMG-2002033: Resin DOS device path disclosure Peter Gründl (Jul 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]