The easiest thing is probably to delete the resin-doc folder.

-Knut


On Mon, Apr 6, 2009 at 3:23 PM, Durmus, Emre <durm...@teoco.com> wrote:

>  Hi,
>
> We are currently using Resin3.0.25 and we could not pass PCI Compliance
> scan due to the following problem (The message below is taken from the scan
> results):
>
> -----------
> Synopsis : The remote web server contains a Java Servlet that is affected
> by a cross-site scripting vulnerability. Description : The remote host is
> running Resin, an application server. The 'viewfile' Servlet included with
> the version of Resin installed on the remote host fails to sanitize user
> input to the 'file' parameter before including it in dynamic HTML output. An
> attacker may be able to leverage this issue to inject arbitrary HTML and
> script code into a user's browser to be executed within the security context
> of the affected site. Note that the affected Servlet is part of the Resin
> documentation, which should not be installed on production servers. See also
> : http://www.kb.cert.org/vuls/id/305208 
> http://www.securitymetrics.com/u?2ea1b70
> f <http://www.securitymetrics.com/u?2ea1b70f> *Solution*: Upgrade to Resin
> or Resin Pro version 3.1.4  / 3.0.25 or later.
> -------
>
> If you try to view the following on a browser, it runs the script on our
> servers, causing XSS security problem 
> (......./resin-doc/viewfile?file=SMetrics<script>alert('This
> is vulnerable to 
> XSS')</script><http://www.respond.com/resin-doc/viewfile?file=SMetrics%3Cscript%3Ealert%28%27This+is+vulnerable+to+XSS%27%29%3C/script%3E>
> ).
>
>
> They are suggesting that we should use Resin3.0.25 and we are already using
> that version.
> Is there a way to overcome this issue without upgrading to version 3.1 or
> higher? Or is it possible to restrict access to /resin-doc folder?
>
> I would appreciate it a lot, if you could help me out.
>
>
> Thank you.
>
> Emre Durmus
>
>
>
> PRIVILEGED AND CONFIDENTIAL
> PLEASE NOTE: The information contained in this message is privileged and
> confidential, and is intended only for the use of the individual to whom it
> is addressed and others who have been specifically authorized to receive it.
> If you are not the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, or if any
> problems occur with transmission, please contact sender. Thank you.
>
> P   Please consider the environment before printing this e-mail.
>
>
>
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest
>
>
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to