Resin viewfile Servlet file Parameter XSS

medium Nessus Plugin ID 33273

Synopsis

The remote web server contains a Java Servlet that is affected by a cross-site scripting vulnerability.

Description

The remote host is running Resin, an application server.

The 'viewfile' Servlet included with the version of Resin installed on the remote host fails to sanitize user input to the 'file' parameter before including it in dynamic HTML output. An attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

Note that the affected Servlet is part of the Resin documentation, which should not be installed on production servers.

Solution

Upgrade to Resin or Resin Pro version 3.1.4 / 3.0.25 or later.

See Also

https://www.kb.cert.org/vuls/id/305208/

Plugin Details

Severity: Medium

ID: 33273

File Name: resin_viewfile_xss.nasl

Version: 1.20

Type: remote

Published: 6/30/2008

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:caucho:resin

Required KB Items: www/resin

Exploit Ease: No exploit is required

Patch Publication Date: 6/25/2008

Reference Information

CVE: CVE-2008-2462

BID: 29948

CWE: 79

CERT: 305208

Secunia: 30845