Server News Tomcat Vulnerability Allows Unintended Directory Listings

Tomcat Vulnerability Allows Unintended Directory Listings




Apache’s Tomcat JSP/Servlet implementation contains a vulnerability that allows remote users to retrieve directory listings. Details and a link to the update correcting the vulnerability are included in this vulnerability announcement from Jouko Pynnonen:

Apache’s Tomcat JSP/Servlet implementation contains a vulnerability that allows remote users to retrieve directory listings. Details and a link to the update correcting the vulnerability are available.

Date: Thu, 30 Jan 2003 14:53:23 +0200 (EET)
From: Jouko Pynnonen 
Subject: Apache Jakarta Tomcat 3 URL parsing vulnerability

OVERVIEW

Tomcat is a JSP/Servlet implementation developed at the Apache Software
Foundation. Tomcat versions 3.3.1 and earlier contain some security
vulnerabilities which allow a remote user to retrieve listings of
directories despite index.html or index.jsp files. It is also possible
to retrieve contents of files and directories that shouldn’t be visible to
outside. The vulnerability also allows retrieving the source of JSP files.

DETAILS

Certain kinds of HTTP requests containing binary null or backslash
characters are parsed incorrectly by Tomcat’s built-in web server. The
following GET request causes Tomcat to output the directory listing of
the web root under default installation:

GET /.jsp HTTP/1.0

The following UNIX command can be issued to test the vulnerability:

$ perl -e ‘print “GET /x00.jsp HTTP/1.0rnrn”;’ | nc my.server 8080

If your server is vulnerable, the command will output a HTTP header and
the directory listing even if there’s an index file present. Furthermore,
a backslash can be used in the following way to get information from
otherwise inaccessible directories:

$ perl -e 'print "GET
/admin/WEB-INFclasses/ContextAdmin.javax00.jsp HTTP/1.0rnrn";'|nc my.server 8080

This will output the contents of ContextAdmin.java.

The servlet engine interprets the directory listing and any file
retrieved in this way as a JSP page, which might be exploited to run
arbitrary Java code under some imaginable scenarios. If the attacker can
create a file whose name contains JSP tags somewhere under the web root,
the code would be run when the directory listing is fetched in the way
described above. Similarly Java code embedded in *.html or any other file
can be compiled and run by an attacker.

In the same way a remote user may force a *.jsp file to be interpreted as
plain HTML, ie. retrieve the source of JSP files:

$ perl -e 'print "GET /examples/jsp/cal/cal1.jspx00.html HTTP/1.0rnrn";'|nc my.server 8080

This would output the source of the example JSP file.

SOLUTION

The vendor was informed on January 10, 2003. A new version of Tomcat
addressing this problem has been released. The fixed version 3.3.1a and
additional information is available at

http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

According to the vendor, the problem only affects Tomcat used with JDK
1.3.1 or earlier.

CREDITS

The vulnerability was discovered by Jouko Pynnönen of Online Solutions
Ltd, Finland.

Latest Posts

What is Load Balancing?

Load balancing is a technique that ensures an organization's server does not get overloaded with traffic. With load balancing measures in place, workloads and...

Installing and Activating Hyper-V Linux Integration Services

Editor's Note: Updated to reflect changes with the Hyper-V Linux Integration Services 4.3 release. Microsoft developers have designed components that help in improving the performance of...

What is a Hypervisor Server?

At its most basic, a hypervisor is the “manager” of a software-hardware stack. The term “hypervisor” derives from the word “supervisor.” What is a Hypervisor? When...

HPE SimpliVity 380 Server Review

The HPE SimpliVity 380 Server was designed to deliver the high performance required by enterprise data centers in a simplified package. One of the...

What is Server Virtualization?

Server virtualization is essential for the efficient operation of any datacenter. But what exactly is server virtualization and is it right for your business?...

Related Stories