Apache Tomcat pageInfo.jsp Test JSP Script Path Disclosure

2002-05-29T08:26:15
ID OSVDB:14580
Type osvdb
Reporter ProCheckUp()
Modified 2002-05-29T08:26:15

Description

Vulnerability Description

Apache Tomcat contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a remote attacker directly requests the pageInfo.jsp script, which will disclose the physical installation path information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: delete the sample script from the /test/jsp/ directory.

Short Description

Apache Tomcat contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a remote attacker directly requests the pageInfo.jsp script, which will disclose the physical installation path information resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/test/jsp/pageInfo.jsp

References:

Vendor URL: http://jakarta.apache.org/tomcat/ Other Advisory URL: http://www.procheckup.com/security_info/vuln_pr0205.html Other Advisory URL: http://www.procheckup.com/security_info/vuln_pr0206.html Other Advisory URL: http://www.procheckup.com/security_info/vuln_pr0207.html Mail List Post: http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00275.html Mail List Post: http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00272.html Keyword: ProCheckUp Security Bulletin PR02-07 ISS X-Force ID: 9208 CVE-2002-2007 CERT VU: 116963