Vulnerability in Apache Tomcat v3.23 & v3.24 (part 2)

From: webmaster@procheckup.com
Date: 05/29/02


Date: 29 May 2002 13:32:29 -0000
From: <webmaster@procheckup.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

Procheckup Ltd
www.procheckup.com

Procheckup Security Bulletin PR02-06

           
  Description: Tomcat realPath.jsp gives location of web
root.
         Date: 8/1/2002

  Application: Apache Tomcat Java server versions 3.23 and
3.24
     Platform: Linux/Unix
     Severity: Remote attackers can obtain the location of
webroot
      Authors: Richard Brain [richard.brain@procheckup.com]
Vendor Status:
CVE Candidate: Not assigned
    Reference: www.procheckup.com

Description:

Tomcat is the free opensource Java server,
http://jakarta.apache.org/tomcat/.

A example program is provided with tomcat under the
http://webserver/test directory which gives the location of
the webroot.

The test page of "http://webserver/test" displays the
following message :-
"This is the home page of the test hierarchy. It doesn't do
too much good to look at it directly... Instead, why don't
you run the tests to find out what you might want to know.

Oh, by the way, merry christmas.. :)"

The vulnerabilities may only work on port 8080 rather than
port 80, dependant on how the webserver has been configured
with Tomcat.

A) Requesting the following url :-
http://webserver/test/realPath.jsp

Displays the following:-
The virtual path is /test/realPath.jsp

The real path is "WEBROOT"/test/test/realPath.jsp

The real path is "WEBROOT"/test/realPath.jsp

   Solution:
    Delete the realPath.jsp program.

 Legal:
  Copyright 2002 Procheckup Ltd. All rights reserved.

  Permission is granted for copying and circulating this
Bulletin
  to the Internet community for the purpose of alerting
them to problems
  , if and only if, the Bulletin is not edited or changed
in any way,
  is attributed to Procheckup, and provided such
reproduction and/or
  distribution is performed for non-commercial purposes.

  Any other use of this information is prohibited.
Procheckup is not
  liable for any misuse of this information by any third
party.



Relevant Pages

  • Re: port 80
    ... the standard http port. ... pages as well as servlets or java server pages - without any need to ... if you're running Tomcat under Linux ...
    (comp.lang.java.programmer)
  • How can web page get information from server?
    ... I have a web app served by Tomcat. ... The welcome page (a java server page) ... needs a piece of information from a properties file on the server. ... Can I define a Resource in Tomcat that I can access through ...
    (comp.lang.java.programmer)
  • Re: Profiling Servlets and JSPs
    ... >I am trying to find some software that will help me profile a webstie ... This website accesses ... >a java server that is running on Tomcat on a Solaris 8 machine. ... And, if Tomcat is running on the site, there is definitely a JM ...
    (comp.lang.java.programmer)
  • Re: [tomcat] port 80
    ... I started my first test using tomcat as a container for servlets / java server pages. ... Any request to the special server port is fine. ... The user should be able to access some pure http pages as well as servlets or java server pages - without any need to change the port. ...
    (comp.lang.java.programmer)