Apache Tomcat HTTP request for LPT9 reveals Web root path
| tomcat-lpt9-path-disclosure (9394) |  Low Risk |
Description:
Apache Tomcat could allow a remote attacker to obtain the physical path of the Web server. A remote attacker could send a specially-crafted URL request for a non-existent resource such as LPT9, which would return an error page containing the physical path of the Web server.
Consequences:
Obtain Information
Remedy:
Upgrade to the latest version of Apache Tomcat (4.1.3 beta or later), available from the Apache Tomcat download site. See References.
References:
- BugTraq Mailing List, Wed Jun 19 2002 - 04:38:38 CDT: KPMG-2002024: Apache Tomcat Path Disclosure.
- The Jakarta Project Web site: Binary Downloads.
- BID-5054: Apache Tomcat Web Root Path Disclosure Vulnerability
- CVE-2002-2008: Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message.
Platforms Affected:
- Apache Tomcat 4.0.3
Reported:
Jun 19, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net