| VID |
22092 |
| Severity |
20 |
| Port |
8080 |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Jakarta Tomcat reveals sensitive path information. Jakarta Tomcat is a Java application server used with Apache Web servers to support Java Servlet Pages (JSP) and Java servlets.
When a user requests the URL of an nonexistent JSP file, the physical path to the Web directory is presented by the server as part of the error message. An attacker could use this to gain information about the file structure of the Web server that would be helpful in an attack.
You can view the path to the web directory by the following request: http://www.example.com/anything.jsp
Error: 404
Location: /anything.jsp
JSP file "/appsrv2/jakarta-tomcat/webapps/ROOT/anything.jsp" not found
* References:
http://www.securityfocus.com/bid/1531
http://www.iss.net/security_center/static/4967.php |
| Recommendation |
This issue was resolved in Tomcat 3.2.1. Download and install version 3.2.1 from The Jakarta Project's Web site, http://jakarta.apache.org/ |
| Related URL |
CVE-2000-0759 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
