Apache Tomcat extends2.jsp Test JSP Script Path Disclosure

2002-05-29T08:26:15
ID OSVDB:14588
Type osvdb
Reporter ProCheckUp()
Modified 2002-05-29T08:26:15

Description

Vulnerability Description

Apache Tomcat contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a remote attacker directly requests the extends2.jsp script, which will disclose the physical installation path information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: delete the sample script from the /test/jsp/ directory.

Short Description

Apache Tomcat contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a remote attacker directly requests the extends2.jsp script, which will disclose the physical installation path information resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/test/jsp/extends2.jsp

References:

Vendor URL: http://jakarta.apache.org/tomcat/ Other Advisory URL: http://skateboard.osvdb.org/ref/advisory/ProCheckUp/procheckup-pr02-07.txt Keyword: ProCheckUp Security Bulletin PR02-07 ISS X-Force ID: 9208 CERT VU: 116963