Resin Application Server 4.0.36 Cross-Site Scripting Vulnerabilities
Title: Resin Application Server 4.0.36 Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2013-5143
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.06.2013
Java HotSpot(TM) 64-Bit Server VM 23.3-b01
4 cpu, Windows 7 amd64 6.1
[01.06.2013] Contact with the vendor.
[06.06.2013] No response from the vendor.
[07.06.2013] Public security advisory released.
[2] http://packetstormsecurity.com/files/121932
[3] http://secunia.com/advisories/53749/
[4] http://www.securityfocus.com/bid/60426
[5] http://osvdb.org/show/osvdb/94066
[6] http://osvdb.org/show/osvdb/94067
[7] http://xforce.iss.net/xforce/xfdb/84875
[8] http://www.eeye.com/resources/security-center/research/zero-day-tracker/2013/20130607
[9] http://securitytracker.com/id/1028647
[08.06.2013] - Added reference [1]
[09.06.2013] - Added reference [2]
[10.06.2013] - Added reference [3] and [4]
[11.06.2013] - Added reference [5] and [6]
[13.06.2013] - Added reference [7]
[14.06.2013] - Added reference [8]
[17.06.2013] - Added reference [9]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5143
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.06.2013
Summary
Resin is the Java Application Server for high traffic sites that require speed and scalability. It is one of the earliest Java Application Servers, and has stood the test of time due to engineering prowess.Description
Resin Application and Web Server suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'logout' GET parameter in the 'index.php' script. URI-based XSS issue is also present and both of the vulnerabilities can be triggered once the user/admin is logged in (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.Vendor
Caucho Technology, Inc. - http://www.caucho.comAffected Version
Resin Professional Web And Application Server 4.0.36Tested On
Resin Professional 4.0.36 (built Fri, 26 Apr 2013 03:33:09 PDT)Java HotSpot(TM) 64-Bit Server VM 23.3-b01
4 cpu, Windows 7 amd64 6.1
Vendor Status
[01.06.2013] Vulnerability discovered.[01.06.2013] Contact with the vendor.
[06.06.2013] No response from the vendor.
[07.06.2013] Public security advisory released.
PoC
resin_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://cxsecurity.com/issue/WLB-2013060065[2] http://packetstormsecurity.com/files/121932
[3] http://secunia.com/advisories/53749/
[4] http://www.securityfocus.com/bid/60426
[5] http://osvdb.org/show/osvdb/94066
[6] http://osvdb.org/show/osvdb/94067
[7] http://xforce.iss.net/xforce/xfdb/84875
[8] http://www.eeye.com/resources/security-center/research/zero-day-tracker/2013/20130607
[9] http://securitytracker.com/id/1028647
Changelog
[07.06.2013] - Initial release[08.06.2013] - Added reference [1]
[09.06.2013] - Added reference [2]
[10.06.2013] - Added reference [3] and [4]
[11.06.2013] - Added reference [5] and [6]
[13.06.2013] - Added reference [7]
[14.06.2013] - Added reference [8]
[17.06.2013] - Added reference [9]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
