Re: Tomcat 4.1 real path disclosure

• Previous message: Marcell Fodor: "OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow"
• In reply to: Wang Yun: "Tomcat 4.1 real path disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is no such thing as "Tomcat 4.1". Tomcat is at version
4.0.3. The next version is 4.0.4.

If you mean 4.0.1, did you check whether this is one of
the security fixes that brings 4.0.1 up to 4.0.3 before you
posted?  It is, you know:

HTTP/1.1 404 />/index.jsp
Date: Fri, 19 Apr 2002 21:36:23 GMT
Server: Apache Tomcat/4.0.2 (HTTP/1.1 Connector)
Connection: close
 
<html><head><title>Apache Tomcat/4.0.2 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : white;b
ackground-color : #0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color : white;}
B{color : white;background-color : #0086b2;} HR{color : #0086b2;} --></STYLE> </head>
<body><h1>Apache Tomcat/4.0.2 - HTTP Status 404 - /&gt;/index.jsp</h1><HR size="1" noshade><p><b>type</b>
 Status report</p><p><b>message</b> <u>/&gt;/index.jsp</u></p><p><b>description</b> <u>The requested resource 
(/&gt;/index.jsp) is not available.</u></p><HR size="1" noshade></body></html>


> CHINANSL Security Team found a security problem
> at the usage of Tomcat 4.1 WEB server. When the
> customer inputs a special URL, he can acquire the
> real path of Tomcat 4.1 in the system, providing more
> information for hacker&#8217;s attacks.
> CHINANSL Security Team analyzed this vulnerability,
> discovered that there are some problems in Tomcat
> 4.1 handling the URL request. If the customer
> submits &#8220;http:// target/ a/ index.jsp&#8221;, Tomcat 4.1 will
> establish &#8220;a&#8221; directory under &#8220;work&#8221; directory at
> fist. After this, Tomcat will find &#8220;index.jsp&#8221; in the WEB
> matching directory and compile it to &#8220;index$jsp.java&#8221;.
> Then, Tomcat will output results. But there is a
> problem in this process: Tomcat 4.1 will output the
> real path if the customer&#8217;s request can&#8217;t be created
> as a directory.For example:   http://target/>/index.jsp
> &#8220;>&#8221;can&#8217;t be set up as a directory under the Window
> system. Therefore, the above problem appears.
>
>
> exploit:
> Example 1&#65306;http://tomcat4.1/+/index.jsp
> Example 2&#65306;http://tomcat4.1/>/index.jsp
> Example 3&#65306;http://tomcat4.1/%20/index.jsp
> Example 4&#65306;http://tomcat4.1/
>  All of these can gain the real installed directory of
> TOMCAT 4.1
>
> solution:
> We should first check whether there is a catalogue
> matching the customer request document in the
> WEB catalogue, then, we can set up a matching
> catalogue and  &#8220;.java&#8221; document in &#8220;work
> &#8221;catalogue. &#8220;S-WEB2.0&#8221;which is developed by Chinansl can
> solve this problem.
>          Copyright 2001-2002 CHINANSL. All Rights
> Reserved.
>
> credit:
> This security advisory comes from CHINANSL
> TECHNOLOGY CO.,LTD. It can be transshipped. But
> please guarantee the completion of the article,
> otherwise we will pursue the rights of the law.
> www.chinansl.com
> lovehackerat_private
>
> reference:
> CHINANSL Security Team
> lovehackerat_private
> CHINANSL TECHNOLOGY CO.,LTD
> http://www.chinansl.com

• Next message: stealth: "Re: Remote Timing Techniques over TCP/IP"
• Previous message: Marcell Fodor: "OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow"
• In reply to: Wang Yun: "Tomcat 4.1 real path disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 19:28:56 PDT