Resin for Windows \WEB-INF Traversal Arbitrary File Access

medium Nessus Plugin ID 25241

Synopsis

The remote web server is prone to a directory traversal attack.

Description

The remote host is running Resin, an application server.

The installation of Resin on the remote host allows an unauthenticated, remote attacker to gain access to the web-inf directories, or any known subdirectories, on the affected Windows host, which could lead to a loss of confidentiality.

Solution

Upgrade to Resin / Resin Pro 3.1.1 or later.

See Also

http://www.rapid7.com/advisories/R7-0029.jsp

http://www.caucho.com/resin-3.1/changes/changes.xtp

Plugin Details

Severity: Medium

ID: 25241

File Name: resin_dir_traversal2.nasl

Version: 1.23

Type: remote

Family: Web Servers

Published: 5/16/2007

Updated: 7/27/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:caucho:resin

Required KB Items: www/resin

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 5/7/2007

Vulnerability Publication Date: 5/14/2007

Reference Information

CVE: CVE-2007-2440

BID: 23985