We are currently using Resin3.0.25 and we could not pass PCI Compliance
scan due to the following problem (The message below is taken from the
scan results):
Synopsis : The remote web server contains a Java Servlet that is
affected by a cross-site scripting vulnerability. Description : The
remote host is running Resin, an application server. The 'viewfile'
Servlet included with the version of Resin installed on the remote host
fails to sanitize user input to the 'file' parameter before including it
in dynamic HTML output. An attacker may be able to leverage this issue
to inject arbitrary HTML and script code into a user's browser to be
executed within the security context of the affected site. Note that the
affected Servlet is part of the Resin documentation, which should not be
installed on production servers. See also :
http://www.securitymetrics.com/u?2ea1b70 f
<http://www.securitymetrics.com/u?2ea1b70f>  Solution: Upgrade to Resin
or Resin Pro version 3.1.4  / 3.0.25 or later.
If you try to view the following on a browser, it runs the script on our
servers, causing XSS security problem
(......./resin-doc/viewfile?file=SMetrics<script>alert('This is
vulnerable to XSS')</script>
his is vulnerable to XSS')</script>> ).
They are suggesting that we should use Resin3.0.25 and we are already
using that version. 
Is there a way to overcome this issue without upgrading to version 3.1
or higher? Or is it possible to restrict access to /resin-doc folder?
I would appreciate it a lot, if you could help me out.
Thank you.
Emre Durmus
PLEASE NOTE: The information contained in this message is privileged and 
confidential, and is intended only for the use of the individual to whom it is 
addressed and others who have been specifically authorized to receive it. If 
you are not the intended recipient, you are hereby notified that any 
dissemination, distribution or copying of this communication is strictly 
prohibited. If you have received this communication in error, or if any 
problems occur with transmission, please contact sender. Thank you.
<>   Please consider the environment before printing this e-mail. <>
resin-interest mailing list

Reply via email to