The easiest thing is probably to delete the resin-doc folder.
On Mon, Apr 6, 2009 at 3:23 PM, Durmus, Emre <durm...@teoco.com> wrote:
> We are currently using Resin3.0.25 and we could not pass PCI Compliance
> scan due to the following problem (The message below is taken from the scan
> Synopsis : The remote web server contains a Java Servlet that is affected
> by a cross-site scripting vulnerability. Description : The remote host is
> running Resin, an application server. The 'viewfile' Servlet included with
> the version of Resin installed on the remote host fails to sanitize user
> input to the 'file' parameter before including it in dynamic HTML output. An
> attacker may be able to leverage this issue to inject arbitrary HTML and
> script code into a user's browser to be executed within the security context
> of the affected site. Note that the affected Servlet is part of the Resin
> documentation, which should not be installed on production servers. See also
> : http://www.kb.cert.org/vuls/id/305208
> f <http://www.securitymetrics.com/u?2ea1b70f> *Solution*: Upgrade to Resin
> or Resin Pro version 3.1.4 / 3.0.25 or later.
> If you try to view the following on a browser, it runs the script on our
> servers, causing XSS security problem
> is vulnerable to
> They are suggesting that we should use Resin3.0.25 and we are already using
> that version.
> Is there a way to overcome this issue without upgrading to version 3.1 or
> higher? Or is it possible to restrict access to /resin-doc folder?
> I would appreciate it a lot, if you could help me out.
> Thank you.
> Emre Durmus
> PRIVILEGED AND CONFIDENTIAL
> PLEASE NOTE: The information contained in this message is privileged and
> confidential, and is intended only for the use of the individual to whom it
> is addressed and others who have been specifically authorized to receive it.
> If you are not the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, or if any
> problems occur with transmission, please contact sender. Thank you.
> P Please consider the environment before printing this e-mail.
> resin-interest mailing list
resin-interest mailing list