Re: [Resin-interest] resin xss issue

2009-04-06 Thread Serge Knystautas
Why is resin-doc deployed to the production environment?  That sounds  
like a mistake, not something to patch or secure.


--
Serge Knystautas
PrestoSports

On Apr 6, 2009, at 6:23 PM, Durmus, Emre durm...@teoco.com wrote:


Hi,

We are currently using Resin3.0.25 and we could not pass PCI  
Compliance scan due to the following problem (The message below is  
taken from the scan results):


---
Synopsis : The remote web server contains a Java Servlet that is  
affected by a cross-site scripting vulnerability. Description : The  
remote host is running Resin, an application server. The 'viewfile'  
Servlet included with the version of Resin installed on the remote  
host fails to sanitize user input to the 'file' parameter before  
including it in dynamic HTML output. An attacker may be able to  
leverage this issue to inject arbitrary HTML and script code into a  
user's browser to be executed within the security context of the  
affected site. Note that the affected Servlet is part of the Resin  
documentation, which should not be installed on production servers.  
See also : http://www.kb.cert.org/vuls/id/305208  http://www.securitymetrics.com/u?2ea1b70 
 f Solution: Upgrade to Resin or Resin Pro version 3.1.4  / 3.0.25  
or later.

---

If you try to view the following on a browser, it runs the script on  
our servers, causing XSS security problem (.../resin-doc/ 
viewfile?file=SMetricsscriptalert('This is vulnerable to XSS')/ 
script).



They are suggesting that we should use Resin3.0.25 and we are  
already using that version.
Is there a way to overcome this issue without upgrading to version  
3.1 or higher? Or is it possible to restrict access to /resin-doc  
folder?


I would appreciate it a lot, if you could help me out.


Thank you.

Emre Durmus


PRIVILEGED AND CONFIDENTIAL
PLEASE NOTE: The information contained in this message is privileged  
and confidential, and is intended only for the use of the individual  
to whom it is addressed and others who have been specifically  
authorized to receive it. If you are not the intended recipient, you  
are hereby notified that any dissemination, distribution or copying  
of this communication is strictly prohibited. If you have received  
this communication in error, or if any problems occur with  
transmission, please contact sender. Thank you.


P   Please consider the environment before printing this e-mail.



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] resin xss issue

2009-04-06 Thread Durmus, Emre
Removing resin-doc folder fixed the problem. Thank you foir the quick
response.



From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Serge Knystautas
Sent: Monday, April 06, 2009 7:14 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] resin xss issue


Why is resin-doc deployed to the production environment?  That sounds
like a mistake, not something to patch or secure.  

-- 
Serge Knystautas
PrestoSports

On Apr 6, 2009, at 6:23 PM, Durmus, Emre durm...@teoco.com wrote:



Hi,
 
We are currently using Resin3.0.25 and we could not pass PCI
Compliance scan due to the following problem (The message below is taken
from the scan results):
 
---
Synopsis : The remote web server contains a Java Servlet that is
affected by a cross-site scripting vulnerability. Description : The
remote host is running Resin, an application server. The 'viewfile'
Servlet included with the version of Resin installed on the remote host
fails to sanitize user input to the 'file' parameter before including it
in dynamic HTML output. An attacker may be able to leverage this issue
to inject arbitrary HTML and script code into a user's browser to be
executed within the security context of the affected site. Note that the
affected Servlet is part of the Resin documentation, which should not be
installed on production servers. See also :
http://www.kb.cert.org/vuls/id/305208
http://www.kb.cert.org/vuls/id/305208
http://www.securitymetrics.com/u?2ea1b70f
http://www.securitymetrics.com/u?2ea1b70 f Solution: Upgrade to Resin or
Resin Pro version 3.1.4  / 3.0.25 or later.
---
 
If you try to view the following on a browser, it runs the
script on our servers, causing XSS security problem
(.../resin-doc/viewfile?file=SMetricsscriptalert('This is
vulnerable to XSS')/script
http://www.respond.com/resin-doc/viewfile?file=SMetricsscriptalert('T
his is vulnerable to XSS')/script ).
 
 
They are suggesting that we should use Resin3.0.25 and we are
already using that version. 
Is there a way to overcome this issue without upgrading to
version 3.1 or higher? Or is it possible to restrict access to
/resin-doc folder?
 
I would appreciate it a lot, if you could help me out.
 
 
Thank you.
 
Emre Durmus
 
 

PRIVILEGED AND CONFIDENTIAL 
PLEASE NOTE: The information contained in this message is
privileged and confidential, and is intended only for the use of the
individual to whom it is addressed and others who have been specifically
authorized to receive it. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, or if any problems occur with transmission,
please contact sender. Thank you.

P   Please consider the environment before printing this e-mail.



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


PRIVILEGED AND CONFIDENTIAL 
PLEASE NOTE: The information contained in this message is privileged and 
confidential, and is intended only for the use of the individual to whom it is 
addressed and others who have been specifically authorized to receive it. If 
you are not the intended recipient, you are hereby notified that any 
dissemination, distribution or copying of this communication is strictly 
prohibited. If you have received this communication in error, or if any 
problems occur with transmission, please contact sender. Thank you.
   Please consider the environment before printing this e-mail. 
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest