Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
'/%20..\WEB-INF/' Information Disclosure Vulnerability (HTTP)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Various application or web servers / products are prone to an information disclosure vulnerability.
Insight
Insight
The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application or web servers / products are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com/%20..\WEB-INF/web.xml http://example.com/%20..\web-inf/web.xml (note the '%20..\' before 'WEB-INF').
Affected Software
Affected Software
The following products are known to be affected: - Caucho Resin v3.1.0 and v3.0.17 through v3.0.21 for Windows. - Caucho Resin Professional v3.1.0 for Windows. Other products might be affected as well.
Detection Method
Detection Method
Sends a crafted HTTP GET request and checks the response.
Solution
Solution
The following vendor fixes are known: - Caucho Resin v3.1.1 for Windows. - Caucho Resin Professional v3.1.1 for Windows. For other products please contact the vendor for more information on possible fixes.