The "viewfile" command provided by Caucho Resin contains a cross-site scripting (XSS) vulnerability in the "file" parameter.
Caucho Resin is a Java-based application server. The "viewfile" command that is provided with the Resin documentation is vulnerable to XSS via the "file" parameter.
A remote, unauthenticated attacker may be able to execute arbitrary script within the context of the Resin web pages.
Apply an update
This issue is resolved in Resin 3.0.25 and 3.1.4. Note that the vendor does not recommend including the Resin documentation on production web servers, which would prevent the vulnerable command from being exposed.
Thanks to Tomasz Kuczynski for reporting this vulnerability.
This document was written by Will Dormann.
|Date First Published:||2008-06-25|
|Date Last Updated:||2008-06-25 20:50 UTC|