Why is resin-doc deployed to the production environment? That sounds
like a mistake, not something to patch or secure.
--
Serge Knystautas
PrestoSports
On Apr 6, 2009, at 6:23 PM, "Durmus, Emre" <durm...@teoco.com> wrote:
Hi,
We are currently using Resin3.0.25 and we could not pass PCI
Compliance scan due to the following problem (The message below is
taken from the scan results):
-----------
Synopsis : The remote web server contains a Java Servlet that is
affected by a cross-site scripting vulnerability. Description : The
remote host is running Resin, an application server. The 'viewfile'
Servlet included with the version of Resin installed on the remote
host fails to sanitize user input to the 'file' parameter before
including it in dynamic HTML output. An attacker may be able to
leverage this issue to inject arbitrary HTML and script code into a
user's browser to be executed within the security context of the
affected site. Note that the affected Servlet is part of the Resin
documentation, which should not be installed on production servers.
See also : http://www.kb.cert.org/vuls/id/305208 http://www.securitymetrics.com/u?2ea1b70
f Solution: Upgrade to Resin or Resin Pro version 3.1.4 / 3.0.25
or later.
-------
If you try to view the following on a browser, it runs the script on
our servers, causing XSS security problem (......./resin-doc/
viewfile?file=SMetrics<script>alert('This is vulnerable to XSS')</
script>).
They are suggesting that we should use Resin3.0.25 and we are
already using that version.
Is there a way to overcome this issue without upgrading to version
3.1 or higher? Or is it possible to restrict access to /resin-doc
folder?
I would appreciate it a lot, if you could help me out.
Thank you.
Emre Durmus
PRIVILEGED AND CONFIDENTIAL
PLEASE NOTE: The information contained in this message is privileged
and confidential, and is intended only for the use of the individual
to whom it is addressed and others who have been specifically
authorized to receive it. If you are not the intended recipient, you
are hereby notified that any dissemination, distribution or copying
of this communication is strictly prohibited. If you have received
this communication in error, or if any problems occur with
transmission, please contact sender. Thank you.
P Please consider the environment before printing this e-mail.
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
