| VID |
22090 |
| Severity |
20 |
| Port |
8080, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Apache Tomcat server has the information disclosure vulnerability via the 'TroubleShooter' Servlet.
Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. It may be run on most Unix and Linux variants as well as Microsoft Windows operating systems. The default installation of Tomcat includes various sample jsp pages and servlets. An "examples" directory, existing in the default installed Tomcat, includes some examples of "JSP" and "Servlet" that are provided by Tomcat for the customers. One of these, the 'TroubleShooter' servlet, discloses sensitive information about the system such as the real path of Tomcat's installation, the type of operating system. This servlet can also be used to perform cross-site scripting attacks.
* This check item tests only whether the Apache Tomcat TroubleShooter Servlet is installed. |
| Recommendation |
As a workaround, delete the 'TroubleShooter.class' servlet document in the directory of "TOMCAT_HOME\webapps\examples\WEB-INF\classes" |
| Related URL |
CVE-2002-2006 (CVE) |
| Related URL |
4575 (SecurityFocus) |
| Related URL |
8932 (ISS) |
|
