Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Tomcat 4.1 real path disclosure

From: Wang Yun <lovehacker () chinansl com>
Date: 19 Apr 2002 01:49:42 -0000


bugtraq id:
object:  
class:Input Validation Error 
cve: 
remote: Yes 
local: Yes
published Apr 16, 2002 
updated Apr 16, 2002 
vulnerable: Tomcat 4.1
not vulnerable:

disscussion:
CHINANSL Security Team found a security problem 
at the usage of Tomcat 4.1 WEB server. When the 
customer inputs a special URL, he can acquire the 
real path of Tomcat 4.1 in the system, providing more 
information for hacker&#8217;s attacks.
CHINANSL Security Team analyzed this vulnerability, 
discovered that there are some problems in Tomcat 
4.1 handling the URL request. If the customer 
submits &#8220;http:// target/ a/ index.jsp&#8221;, Tomcat 4.1 will 
establish &#8220;a&#8221; directory under &#8220;work&#8221; directory at fist. 
After this, Tomcat will find &#8220;index.jsp&#8221; in the WEB 
matching directory and compile it to &#8220;index$jsp.java&#8221;. 
Then, Tomcat will output results. But there is a 
problem in this process: Tomcat 4.1 will output the 
real path if the customer&#8217;s request can&#8217;t be created 
as a directory.For example:   http://target/>/index.jsp
&#8220;>&#8221;can&#8217;t be set up as a directory under the Window 
system. Therefore, the above problem appears.


exploit:
Example 1&#65306;http://tomcat4.1/+/index.jsp
Example 2&#65306;http://tomcat4.1/>/index.jsp
Example 3&#65306;http://tomcat4.1/%20/index.jsp
Example 4&#65306;http://tomcat4.1/</index.jsp
 All of these can gain the real installed directory of 
TOMCAT 4.1

solution:
We should first check whether there is a catalogue 
matching the customer request document in the 
WEB catalogue, then, we can set up a matching 
catalogue and  &#8220;.java&#8221; document in &#8220;work &#8221;catalogue.
&#8220;S-WEB2.0&#8221;which is developed by Chinansl can 
solve this problem.  
         Copyright 2001-2002 CHINANSL. All Rights 
Reserved.

credit:
This security advisory comes from CHINANSL 
TECHNOLOGY CO.,LTD. It can be transshipped. But 
please guarantee the completion of the article, 
otherwise we will pursue the rights of the law.
www.chinansl.com 
lovehacker () chinansl com

reference:
CHINANSL Security Team 
lovehacker () chinansl com
CHINANSL TECHNOLOGY CO.,LTD
http://www.chinansl.com
Previous By Date Next
Previous By Thread Next

Current thread: