Vulnerability Note VU#305208

Caucho Resin vulnerable to XSS via "file" parameter to "viewfile"

Original Release date: 25 Jun 2008 | Last revised: 25 Jun 2008

Overview

The "viewfile" command provided by Caucho Resin contains a cross-site scripting (XSS) vulnerability in the "file" parameter.

Description

Caucho Resin is a Java-based application server. The "viewfile" command that is provided with the Resin documentation is vulnerable to XSS via the "file" parameter.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary script within the context of the Resin web pages.

Solution

Apply an update

This issue is resolved in Resin 3.0.25 and 3.1.4. Note that the vendor does not recommend including the Resin documentation on production web servers, which would prevent the vulnerable command from being exposed.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Caucho TechnologyAffected28 Nov 200725 Jun 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Tomasz Kuczynski for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2008-2462
  • Date Public: 05 Dec 2007
  • Date First Published: 25 Jun 2008
  • Date Last Updated: 25 Jun 2008
  • Severity Metric: 5.94
  • Document Revision: 2

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.