Apache Tomcat sample file requests could reveal directory listing and path to Web root directory

tomcat-sample-reveal-path (9208) The risk level is classified as LowLow Risk

Description:

Apache Tomcat could allow a remote attacker to obtain sensitive information. A remote attacker could send a specially-crafted URL request to one of the .jsp files in the test/jsp/ directory or samples/jsp/ directory to cause an error message to display that would reveal the directory listing and the full path to the Web root directory.


Consequences:

Obtain Information

Remedy:

No remedy available as of July 9, 2011.

References:

  • ProCheckUp Security Bulletin PR02-05: Tomcat source.jsp directory listing and webroot location display.
  • ProCheckUp Security Bulletin PR02-06: Tomcat realPath.jsp gives location of web root.
  • ProCheckUp Security Bulletin PR02-07: Tomcat multiple sample files display webroot location on default configuration on request.
  • The Jakarta Project Web site: The Jakarta Site - Apache Tomcat.
  • BID-4876: Apache Tomcat Source.JSP Malformed Request Information Disclosure Vulnerability
  • BID-4877: Apache Tomcat Example Files Web Root Path Disclosure Vulnerability
  • BID-4878: Apache Tomcat RealPath.JSP Malformed Request Information Disclosure Vulnerability
  • CVE-2002-2007: The default installations of Apache Tomcat 3.2.3 and 3.2.4 allows remote attackers to obtain sensitive system information such as directory listings and web root path, via erroneous HTTP requests for Java Server Pages (JSP) in the (1) test/jsp, (2) samples/jsp and (3) examples/jsp directories, or the (4) test/realPath.jsp servlet, which leaks pathnames in error messages.
  • US-CERT VU#116963: Apache Tomcat default installation contains sample applications that disclose webroot path

Platforms Affected:

  • Apache Tomcat 3.2.3
  • Apache Tomcat 3.2.4

Reported:

May 29, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page