COMMAND

    Resin Webserver

SYSTEMS AFFECTED

    Resin Webserver

PROBLEM

    Joe  Testa  found  following.   Resin  1.2.2  is  a  webserver.  A
    vulnerability exists which  allows a remote  user to break  out of
    the web root using relative paths (ie: '..', '...').

    Resin does in fact check  that the requested path lies  within the
    webroot, but by inserting a backslash before any '..' or '...', it
    is possible to defeat the  check.  The following URL  demonstrates
    this vulnerability:

        http://localhost:8080/\../readme.txt

SOLUTION

    A fixed upgrade, 1.2.3, was released and is available at:

        http://www.caucho.com/download/index.xtp