[Resin-interest] resin xss issue
Hi, We are currently using Resin3.0.25 and we could not pass PCI Compliance scan due to the following problem (The message below is taken from the scan results): --- Synopsis : The remote web server contains a Java Servlet that is affected by a cross-site scripting vulnerability. Description : The remote host is running Resin, an application server. The 'viewfile' Servlet included with the version of Resin installed on the remote host fails to sanitize user input to the 'file' parameter before including it in dynamic HTML output. An attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site. Note that the affected Servlet is part of the Resin documentation, which should not be installed on production servers. See also : http://www.kb.cert.org/vuls/id/305208 http://www.securitymetrics.com/u?2ea1b70 f http://www.securitymetrics.com/u?2ea1b70f Solution: Upgrade to Resin or Resin Pro version 3.1.4 / 3.0.25 or later. --- If you try to view the following on a browser, it runs the script on our servers, causing XSS security problem (.../resin-doc/viewfile?file=SMetricsscriptalert('This is vulnerable to XSS')/script http://www.respond.com/resin-doc/viewfile?file=SMetricsscriptalert('T his is vulnerable to XSS')/script ). They are suggesting that we should use Resin3.0.25 and we are already using that version. Is there a way to overcome this issue without upgrading to version 3.1 or higher? Or is it possible to restrict access to /resin-doc folder? I would appreciate it a lot, if you could help me out. Thank you. Emre Durmus PRIVILEGED AND CONFIDENTIAL PLEASE NOTE: The information contained in this message is privileged and confidential, and is intended only for the use of the individual to whom it is addressed and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please contact sender. Thank you. Please consider the environment before printing this e-mail. ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] resin xss issue
Why is resin-doc deployed to the production environment? That sounds like a mistake, not something to patch or secure. -- Serge Knystautas PrestoSports On Apr 6, 2009, at 6:23 PM, Durmus, Emre durm...@teoco.com wrote: Hi, We are currently using Resin3.0.25 and we could not pass PCI Compliance scan due to the following problem (The message below is taken from the scan results): --- Synopsis : The remote web server contains a Java Servlet that is affected by a cross-site scripting vulnerability. Description : The remote host is running Resin, an application server. The 'viewfile' Servlet included with the version of Resin installed on the remote host fails to sanitize user input to the 'file' parameter before including it in dynamic HTML output. An attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site. Note that the affected Servlet is part of the Resin documentation, which should not be installed on production servers. See also : http://www.kb.cert.org/vuls/id/305208 http://www.securitymetrics.com/u?2ea1b70 f Solution: Upgrade to Resin or Resin Pro version 3.1.4 / 3.0.25 or later. --- If you try to view the following on a browser, it runs the script on our servers, causing XSS security problem (.../resin-doc/ viewfile?file=SMetricsscriptalert('This is vulnerable to XSS')/ script). They are suggesting that we should use Resin3.0.25 and we are already using that version. Is there a way to overcome this issue without upgrading to version 3.1 or higher? Or is it possible to restrict access to /resin-doc folder? I would appreciate it a lot, if you could help me out. Thank you. Emre Durmus PRIVILEGED AND CONFIDENTIAL PLEASE NOTE: The information contained in this message is privileged and confidential, and is intended only for the use of the individual to whom it is addressed and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please contact sender. Thank you. P Please consider the environment before printing this e-mail. ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] resin xss issue
Removing resin-doc folder fixed the problem. Thank you foir the quick response. From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Serge Knystautas Sent: Monday, April 06, 2009 7:14 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] resin xss issue Why is resin-doc deployed to the production environment? That sounds like a mistake, not something to patch or secure. -- Serge Knystautas PrestoSports On Apr 6, 2009, at 6:23 PM, Durmus, Emre durm...@teoco.com wrote: Hi, We are currently using Resin3.0.25 and we could not pass PCI Compliance scan due to the following problem (The message below is taken from the scan results): --- Synopsis : The remote web server contains a Java Servlet that is affected by a cross-site scripting vulnerability. Description : The remote host is running Resin, an application server. The 'viewfile' Servlet included with the version of Resin installed on the remote host fails to sanitize user input to the 'file' parameter before including it in dynamic HTML output. An attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site. Note that the affected Servlet is part of the Resin documentation, which should not be installed on production servers. See also : http://www.kb.cert.org/vuls/id/305208 http://www.kb.cert.org/vuls/id/305208 http://www.securitymetrics.com/u?2ea1b70f http://www.securitymetrics.com/u?2ea1b70 f Solution: Upgrade to Resin or Resin Pro version 3.1.4 / 3.0.25 or later. --- If you try to view the following on a browser, it runs the script on our servers, causing XSS security problem (.../resin-doc/viewfile?file=SMetricsscriptalert('This is vulnerable to XSS')/script http://www.respond.com/resin-doc/viewfile?file=SMetricsscriptalert('T his is vulnerable to XSS')/script ). They are suggesting that we should use Resin3.0.25 and we are already using that version. Is there a way to overcome this issue without upgrading to version 3.1 or higher? Or is it possible to restrict access to /resin-doc folder? I would appreciate it a lot, if you could help me out. Thank you. Emre Durmus PRIVILEGED AND CONFIDENTIAL PLEASE NOTE: The information contained in this message is privileged and confidential, and is intended only for the use of the individual to whom it is addressed and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please contact sender. Thank you. P Please consider the environment before printing this e-mail. ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest PRIVILEGED AND CONFIDENTIAL PLEASE NOTE: The information contained in this message is privileged and confidential, and is intended only for the use of the individual to whom it is addressed and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please contact sender. Thank you. Please consider the environment before printing this e-mail. ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest