Tomcat 4.1 real path disclosure

From: Wang Yun (lovehackerat_private)
Date: Thu Apr 18 2002 - 18:49:42 PDT

Next message: Berend-Jan Wever: "Re: NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow"

Previous message: Summercon Admin: "Summercon 2002 CFP"
Next in thread: Joe Testa: "Re: Tomcat 4.1 real path disclosure"
Reply: Joe Testa: "Re: Tomcat 4.1 real path disclosure"
Reply: Ian Darwin: "Re: Tomcat 4.1 real path disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) bugtraq id: object: class:Input Validation Error cve: remote: Yes local: Yes published Apr 16, 2002 updated Apr 16, 2002 vulnerable: Tomcat 4.1 not vulnerable: disscussion: CHINANSL Security Team found a security problem at the usage of Tomcat 4.1 WEB server. When the customer inputs a special URL, he can acquire the real path of Tomcat 4.1 in the system, providing more information for hacker’s attacks. CHINANSL Security Team analyzed this vulnerability, discovered that there are some problems in Tomcat 4.1 handling the URL request. If the customer submits “http:// target/ a/ index.jsp”, Tomcat 4.1 will establish “a” directory under “work” directory at fist. After this, Tomcat will find “index.jsp” in the WEB matching directory and compile it to “index$jsp.java”. Then, Tomcat will output results. But there is a problem in this process: Tomcat 4.1 will output the real path if the customer’s request can’t be created as a directory.For example: http://target/>/index.jsp “>”can’t be set up as a directory under the Window system. Therefore, the above problem appears. exploit: Example 1：http://tomcat4.1/+/index.jsp Example 2：http://tomcat4.1/>/index.jsp Example 3：http://tomcat4.1/%20/index.jsp Example 4：http://tomcat4.1/ All of these can gain the real installed directory of TOMCAT 4.1 solution: We should first check whether there is a catalogue matching the customer request document in the WEB catalogue, then, we can set up a matching catalogue and “.java” document in “work ”catalogue. “S-WEB2.0”which is developed by Chinansl can solve this problem. Copyright 2001-2002 CHINANSL. All Rights Reserved. credit: This security advisory comes from CHINANSL TECHNOLOGY CO.,LTD. It can be transshipped. But please guarantee the completion of the article, otherwise we will pursue the rights of the law. www.chinansl.com lovehackerat_private reference: CHINANSL Security Team lovehackerat_private CHINANSL TECHNOLOGY CO.,LTD http://www.chinansl.com

Next message: Berend-Jan Wever: "Re: NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow"
Previous message: Summercon Admin: "Summercon 2002 CFP"
Next in thread: Joe Testa: "Re: Tomcat 4.1 real path disclosure"
Reply: Joe Testa: "Re: Tomcat 4.1 real path disclosure"
Reply: Ian Darwin: "Re: Tomcat 4.1 real path disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 14:50:00 PDT