Re: Tomcat 4.1 real path disclosure

[Ian Darwin <ian () darwinsys com>]

There is no such thing as "Tomcat 4.1". Tomcat is at version
4.0.3. The next version is 4.0.4.

If you mean 4.0.1, did you check whether this is one of
the security fixes that brings 4.0.1 up to 4.0.3 before you
posted?  It is, you know:

HTTP/1.1 404 />/index.jsp
Date: Fri, 19 Apr 2002 21:36:23 GMT
Server: Apache Tomcat/4.0.2 (HTTP/1.1 Connector)
Connection: close
 
<html><head><title>Apache Tomcat/4.0.2 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color 
: white;b
ackground-color : #0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color : white;}
B{color : white;background-color : #0086b2;} HR{color : #0086b2;} --></STYLE> </head>
<body><h1>Apache Tomcat/4.0.2 - HTTP Status 404 - /&gt;/index.jsp</h1><HR size="1" noshade><p><b>type</b>
 Status report</p><p><b>message</b> <u>/&gt;/index.jsp</u></p><p><b>description</b> <u>The requested resource 
(/&gt;/index.jsp) is not available.</u></p><HR size="1" noshade></body></html>


> CHINANSL Security Team found a security problem
> at the usage of Tomcat 4.1 WEB server. When the
> customer inputs a special URL, he can acquire the
> real path of Tomcat 4.1 in the system, providing more
> information for hacker&#8217;s attacks.
> CHINANSL Security Team analyzed this vulnerability,
> discovered that there are some problems in Tomcat
> 4.1 handling the URL request. If the customer
> submits &#8220;http:// target/ a/ index.jsp&#8221;, Tomcat 4.1 will
> establish &#8220;a&#8221; directory under &#8220;work&#8221; directory at
> fist. After this, Tomcat will find &#8220;index.jsp&#8221; in the WEB
> matching directory and compile it to &#8220;index$jsp.java&#8221;.
> Then, Tomcat will output results. But there is a
> problem in this process: Tomcat 4.1 will output the
> real path if the customer&#8217;s request can&#8217;t be created
> as a directory.For example:   http://target/>/index.jsp
> &#8220;>&#8221;can&#8217;t be set up as a directory under the Window
> system. Therefore, the above problem appears.
>
>
> exploit:
> Example 1&#65306;http://tomcat4.1/+/index.jsp
> Example 2&#65306;http://tomcat4.1/>/index.jsp
> Example 3&#65306;http://tomcat4.1/%20/index.jsp
> Example 4&#65306;http://tomcat4.1/</index.jsp
>  All of these can gain the real installed directory of
> TOMCAT 4.1
>
> solution:
> We should first check whether there is a catalogue
> matching the customer request document in the
> WEB catalogue, then, we can set up a matching
> catalogue and  &#8220;.java&#8221; document in &#8220;work
> &#8221;catalogue. &#8220;S-WEB2.0&#8221;which is developed by Chinansl can
> solve this problem.
>          Copyright 2001-2002 CHINANSL. All Rights
> Reserved.
>
> credit:
> This security advisory comes from CHINANSL
> TECHNOLOGY CO.,LTD. It can be transshipped. But
> please guarantee the completion of the article,
> otherwise we will pursue the rights of the law.
> www.chinansl.com
> lovehacker () chinansl com
>
> reference:
> CHINANSL Security Team
> lovehacker () chinansl com
> CHINANSL TECHNOLOGY CO.,LTD
> http://www.chinansl.com