Resin Application and Web Server 4.0.36 Multiple Vulnerabilities

Resin Application and Web Server The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘logout’ GET parameter in the ‘index.php’ script. URI-based XSS issue is also present and both of the vulnerabilities can be triggered once the user/admin is logged in (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Source code disclosure vulnerability is present in the mentioned software. The vulnerability is caused do to an improper sanitization of the ‘file’ parameter when used for reading help files. An attacker can exploit this vulnerability by directly requesting a ‘.jsp’ file for example in the root directory of the server to view its source code that might reveal sensitive information.

resinwebserver_scd

resin-xss1

Advisory ZSL-2013-5143: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5143.php
Advisory ZSL-2013-5144: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5144.php

Comment are closed.