COMMAND

    Resin

SYSTEMS AFFECTED

    Resin 1.2.* & 1.3b1

PROBLEM

    Following is based on a CHINANSL Security Advisory CSA-200111.   A
    security vulnerability has been  found in Windows NT/2000  systems
    that have Resin 1.2.* or Resin 1.3b1 installed.  The vulnerability
    allows  remote  attackers  to  view  Javabean  file  in  Forbidden
    directory.  For example:

        http://Resin1.*:8080/WEB-INF/classes/Env.java

    The request will be return:

        403 Forbidden

    But if inserting ".jsp"  before "/WEB-INF/" .Resin server  to send
    back the content of Env.java.

    Exploit:

        http://Resin1.*:8080/.jsp/WEB-INF/classes/Env.java

    It is possible to cause the Resin server to send back the  content
    of Env.java.Remote Attackers can view any known JavaBean file.

SOLUTION

    Modify resin.conf.