Bypassing JavaBean Protection in Resin Webservers

vendor:

Resin

by:

SecurityFocus

4.3

CVSS

MEDIUM

Input Validation Bug

CWE

Product Name: Resin

Affected Version From: Resin 1.2.1

Affected Version To: Resin 2.0.2

Patch Exists: YES

Related CWE: N/A

CPE: a:caucho:resin

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Bypassing JavaBean Protection in Resin Webservers

A specially constructed HTTP request could enable a remote attacker to gain read access to any known JavaBean file residing on a host running Resin. On Resin webservers, JavaBean files reside in a protected directory, '/WEB-INF/classes/'. Unfortunately, this protection can be bypassed due to an input validation bug in the Resin webserver. If an attacker inserts the substring '.jsp' before the path of the JavaBean in the request, the webserver will incorrectly interpret the request and serve the contents of the requested JavaBean to the client.

Mitigation:

Input validation should be performed to ensure that user-supplied data is properly sanitized.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2533/info

A specially constructed HTTP request could enable a remote attacker to gain read access to any known JavaBean file residing on a host running Resin.

On Resin webservers, JavaBean files reside in a protected directory, '/WEB-INF/classes/'. Unfortunately, this protection can be bypassed due to an input validation bug in the Resin webserver. If an attacker inserts the substring '.jsp' before the path of the JavaBean in the request, the webserver will incorrectly interpret the request and serve the contents of the requested JavaBean to the client.

An attacker exploiting this may be able to gain sensitive information contained in the JavaBeans. 

http://target/.jsp/WEB-INF/classes/filename