| VID |
22106 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The web server discloses the contents of the 'WEB-INF' directory.
Applications are typically packaged in .WAR files and there is a standard structure for these files. The WEB-INF directory in the packaged files is 'special'; anything under it is not to be served directly to web clients as it contains Java class files and configuration information for the web application. Hence, when an application server receives any requests for /WEB-INF/, it will usually return a '403 forbidden' or even a '404 Not Found' HTTP error.
The web.xml file which resides in WEB-INF is what is called a 'deployment descriptor' and contains detailed configuration information and deployment information about the web application,
e.g.: URL mappings, servlet registration details, welcome files, MIME types, page-level security constraints...
It is possible to retrieve any files located under the the restricted 'WEB-INF' directory by submit a malformed request which is appended a dot ('.') to the end of WEB-INF as the example,
for example :
www.someserver.com/WEB-INF./web.xml
or www.someserver.com/WEB-INF./classes/MyServlet.class
It is possible to download the .java and .class files for a given application, and access web.xml and other configuration files, and in some cases client session information.
This vulnerability affects the Win32 versions of multiple servlet engines/application server.
* Vulnerable Products
Sybase EA Server 4.0 ( www.sybase.com )
OC4J - Oracle Containers for J2EE ( www.oracle.com )
Orion 1.5.3 - ( www.orionserver.com ).
JRun 3.0, 3.1 and JRun 4 - Macromedia / Allaire JRun ( www.macromedia.com )
HPAS 8.0 - Hewlett Packard App Server ( www.bluestone.hp.com )
Pramati 3.0 - Pramati App Server ( www.pramati.com )
Jo - Jo Webserver ( http://sourceforge.net/projects/tagtraum-jo/ or www.tagtraum.de ) |
| Recommendation |
Upgrade to the version fixed this bug or install patch for your system.
* Sybase EA Server :
Upgrade to EAServer 4.1 (also fixed in maintenane release for 3.6.1)
* OC4J - Oracle Containers for J2EE :
Fixed in the latest version of OC4J / 9iAS. Download OC4J from:
http://www.oracle.com/technetwork/middleware/ias/downloads/utilsoft-090603.html
* JRun 3.0, 3.1, 4.0
Upgrade to the latest version of JRun 3.0, 3.1 / 4.0 from:
https://www.adobe.com/products/jrun/download/
* HPAS 8.0
Will be fixed in Maintenance Pack 8 (MP8)
* Pramati App Server
Fixes will be available in Service Pack 1.
* Jo Webserver
Fixed in version 1.0b7 and later.
http://sourceforge.net/projects/tagtraum-jo/ |
| Related URL |
CVE-2002-1855,CVE-2002-1856,CVE-2002-1857,CVE-2002-1858,CVE-2002-1859,CVE-2002-1860,CVE-2002-1861 (CVE) |
| Related URL |
5119 (SecurityFocus) |
| Related URL |
9446 (ISS) |
|
