Apache Tomcat < 3.3.1a Directory Listing and File Disclosure

2004-08-20T00:00:00
ID 1466.PASL
Type nessus
Reporter Tenable
Modified 2019-03-06T00:00:00

Description

Apache Tomcat (prior to 3.3.1a) is affected by a directory listing and file disclosure vulnerability.

By requesting URLs containing a null character, remote attackers can list directories even when an index.html or other file is present or obtain unprocessed source code for a JSP file.

Also note that, when deployed with JDK 1.3.1 or earlier, Tomcat allows files outside of the application directory to be accessed because 'web.xml' files are read with trusted privileges.

                                        
                                            Binary data 1466.pasl