OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jouko Pynnonen (jouko_at_solutions.fi)
Date: Thu Jan 30 2003 - 04:55:15 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    OVERVIEW
    ========

    Tomcat is a JSP/Servlet implementation developed at the Apache Software
    Foundation. Tomcat versions 3.3.1 and earlier contain some security
    vulnerabilities which allow a remote user to retrieve listings of
    directories despite index.html or index.jsp files. It is also possible
    to retrieve contents of files and directories that shouldn't be visible to
    outside.

    DETAILS
    =======

    Certain kinds of HTTP requests containing binary null or backslash
    characters are parsed incorrectly by Tomcat's built-in web server. The
    following GET request causes Tomcat to output the directory listing of
    the web root under default installation:

    GET /<null byte>.jsp HTTP/1.0

    The following UNIX command can be issued to test the vulnerability:

    $ perl -e 'print "GET /\x00.jsp HTTP/1.0\r\n\r\n";' | nc my.server 8080

    If your server is vulnerable, the command will output a HTTP header and
    the directory listing even if there's an index file present. Furthermore,
    a backslash can be used in the following way to get information from
    otherwise inaccessible directories:

    $ perl -e 'print "GET /admin/WEB-INF\\classes/ContextAdmin.java\x00.jsp HTTP/1.0\r\n\r\n";'|nc my.server 8080

    This will output the contents of ContextAdmin.java.

    The servlet engine interprets the directory listing and any file
    retrieved in this way as a JSP page, which might be exploited to run
    arbitrary Java code under some imaginable scenarios. If the attacker can
    create a file whose name contains JSP tags somewhere under the web root,
    the code would be run when the directory listing is fetched in the way
    described above. Similarly Java code embedded in *.html or any other file
    can be compiled and run by an attacker.

    SOLUTION
    ========

    The vendor was informed on January 10, 2003. A new version of Tomcat
    addressing this problem has been released. The fixed version 3.3.1a and
    additional information is available at

      http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

    According to the vendor, the problem only affects Tomcat used with JDK
    1.3.1 or earlier.

    CREDITS
    =======

    The vulnerability was discovered by Jouko Pynnönen of Online Solutions
    Ltd, Finland. 

    -- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
joukosolutions.fi      http://www.solutions.fi    http://www.secmod.com