SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Server URL Parsing Error May Disclose Otherwise Inaccessible Web Directory Listings and Files to Remote Users
SecurityTracker Alert ID:  1006021
SecurityTracker URL:  http://securitytracker.com/id/1006021
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 30 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3.1 and prior versions
Description:   An information disclosure vulnerability was reported in the Apache Tomcat server. A remote user can view directory listings and some files and directories that are configured to be not visible.

It is reported that the server does not correctly parse certain types of HTTP requests that contain binary null or backslash characters. A remote user can create a specially crafted HTTP GET request to view a directory listing, even if an index.html or index.jsp file is present. A demonstration exploit request is provided:

GET /<null byte>.jsp HTTP/1.0

It is also reported that a remote user can supply a specially crafted request containing a backslash character to obtain information about inaccessible web directories. A demonstration exploit command is provided:

$ perl -e 'print "GET /admin/WEB-INF\\classes/ContextAdmin.java\x00.jsp HTTP/1.0\r\n\r\n";'|nc my.server 8080

This demonstration command will reportedly display the contents of ContextAdmin.java.

According to the report, directory listings and files retrieved in this manner are interpreted by the servlet engine as a JSP page. Using this method, a remote user could execute JSP or Java code contained in files within the web root directory.

Impact:   A remote user can view web directory listings and file contents, regardless of whether an index file is present or not.
Solution:   The vendor has released a fixed version (3.3.1a), available at:

http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

According to the report, the vendor has indicated that the vulnerabiltiy only affects Tomcat used with JDK 1.3.1 or earlier.

Vendor URL:  jakarta.apache.org/tomcat/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Apache Jakarta Tomcat 3 URL parsing vulnerability





OVERVIEW
========

Tomcat is a JSP/Servlet implementation developed at the Apache Software 
Foundation. Tomcat versions 3.3.1 and earlier contain some security 
vulnerabilities which allow a remote user to retrieve listings of  
directories despite index.html or index.jsp files. It is also possible 
to retrieve contents of files and directories that shouldn't be visible to 
outside.



DETAILS
=======

Certain kinds of HTTP requests containing binary null or backslash 
characters are parsed incorrectly by Tomcat's built-in web server. The 
following GET request causes Tomcat to output the directory listing of 
the web root under default installation:

GET /<null byte>.jsp HTTP/1.0

The following UNIX command can be issued to test the vulnerability:

$ perl -e 'print "GET /\x00.jsp HTTP/1.0\r\n\r\n";' | nc my.server 8080

If your server is vulnerable, the command will output a HTTP header and 
the directory listing even if there's an index file present. Furthermore, 
a backslash can be used in the following way to get information from 
otherwise inaccessible directories:

$ perl -e 'print "GET /admin/WEB-INF\\classes/ContextAdmin.java\x00.jsp HTTP/1.0\r\n\r\n";'|nc my.server 8080

This will output the contents of ContextAdmin.java.

The servlet engine interprets the directory listing and any file 
retrieved in this way as a JSP page, which might be exploited to run 
arbitrary Java code under some imaginable scenarios. If the attacker can 
create a file whose name contains JSP tags somewhere under the web root, 
the code would be run when the directory listing is fetched in the way 
described above. Similarly Java code embedded in *.html or any other file 
can be compiled and run by an attacker.



SOLUTION
========

The vendor was informed on January 10, 2003. A new version of Tomcat 
addressing this problem has been released. The fixed version 3.3.1a and 
additional information is available at

  http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

According to the vendor, the problem only affects Tomcat used with JDK 
1.3.1 or earlier.



CREDITS
=======

Ltd, Finland.



-- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
jouko@solutions.fi      http://www.solutions.fi    http://www.secmod.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC