[UNIX] Apache Jakarta Tomcat 3 URL Parsing Vulnerability
From: support@securiteam.com
Date: 01/30/03
- Previous message: support@securiteam.com: "[NT] Locator Service Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 30 Jan 2003 17:50:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Apache Jakarta Tomcat 3 URL Parsing Vulnerability
------------------------------------------------------------------------
SUMMARY
Tomcat is a JSP/Servlet implementation developed at the Apache Software
Foundation. Tomcat versions 3.3.1 and earlier contain some security
vulnerabilities that allow a remote user to retrieve listings of
directories despite index.html or index.jsp files. It is also possible to
retrieve contents of files and directories that should not be visible to
outside.
DETAILS
Vulnerable systems:
* Tomcat versions 3.3.1 and earlier
Immune systems:
* Tomcat version 3.3.1a
Certain kinds of HTTP requests containing binary null or backslash
characters are parsed incorrectly by Tomcat's built-in web server. The
following GET request causes Tomcat to output the directory listing of the
web root under default installation:
GET /<null byte>.jsp HTTP/1.0
The following UNIX command can be issued to test the vulnerability:
$ perl -e 'print "GET /\x00.jsp HTTP/1.0\r\n\r\n";' | nc my.server 8080
If your server is vulnerable, the command will output a HTTP header and
the directory listing even if there's an index file present. Furthermore,
a backslash can be used in the following way to get information from
otherwise inaccessible directories:
$ perl -e 'print "GET /admin/WEB-INF\\classes/ContextAdmin.java\x00.jsp
HTTP/1.0\r\n\r\n";'|nc my.server 8080
This will output the contents of ContextAdmin.java.
The servlet engine interprets the directory listing and any file retrieved
in this way as a JSP page, which might be exploited to run arbitrary Java
code under some imaginable scenarios. If the attacker can create a file
whose name contains JSP tags somewhere under the web root, the code would
be run when the directory listing is fetched in the way described above.
Similarly Java code embedded in *.html or any other file can be compiled
and run by an attacker.
Solution:
The vendor was informed on January 10, 2003. A new version of Tomcat
addressing this problem has been released. The fixed version 3.3.1a and
additional information is available at
<http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/>
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/
According to the vendor, the problem only affects Tomcat used with JDK
1.3.1 or earlier.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jouko@solutions.fi> Jouko
Pynnonen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] phpLinks mail() Abuse Vulnerability"
- Previous message: support@securiteam.com: "[NT] Locator Service Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
