Executive Summary
Summary | |
---|---|
Title | Caucho Resin vulnerable to XSS via "file" parameter to "viewfile" |
Informations | |||
---|---|---|---|
Name | VU#305208 | First vendor Publication | 2008-06-25 |
Vendor | VU-CERT | Last vendor Modification | 2008-06-25 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#305208Caucho Resin vulnerable to XSS via "file" parameter to "viewfile"OverviewThe "viewfile" command provided by Caucho Resin contains a cross-site scripting (XSS) vulnerability in the "file" parameter.I. DescriptionCaucho Resin is a Java-based application server. The "viewfile" command that is provided with the Resin documentation is vulnerable to XSS via the "file" parameter.II. ImpactA remote, unauthenticated attacker may be able to execute arbitrary script within the context of the Resin web pages.III. SolutionApply an updateThis issue is resolved in Resin 3.0.25 and 3.1.4. Note that the vendor does not recommend including the Resin documentation on production web servers, which would prevent the vulnerable command from being exposed.
References
Thanks to Tomasz Kuczynski for reporting this vulnerability. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/305208 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
46515 | Caucho Resin Documentation viewfile Command file Parameter XSS Caucho Resin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'file' parameter upon submission to the 'viewfile' application. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-06-30 | Name : The remote web server contains a Java Servlet that is affected by a cross-sit... File : resin_viewfile_xss.nasl - Type : ACT_ATTACK |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:43 |
|