Title: Caucho Technology Resin Cross-Site Scripting Vulnerability
Severity: HIGH
Description:
Resin is a commercial "fast" webserver which offers full JSP support.
Resin does not filter script embedding from user-submitted links that are displayed on the server's websites. This problem is related to an input validation error in the JavaServlet Container.
A malicious webmaster can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyper-link. This vulnerability may be exploited in forums, guestbooks, or other applications that allow users to submit information that will be displayed in web pages.
When the malicious hyper-link is clicked it will produce the standard error message for the webserver, but it will also run the arbitrary code in the same browser as the domain. This also has the effect of obfuscating the attacker, as the script appears to be executed from the trusted host.
Affected Products:
- Caucho Technology Resin 1.2.2
References:
- Caucho Technology: Caucho Technology Homepage
- Caucho Technology: Resin Version Updates Announcement
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
