| VID |
22156 |
| Severity |
30 |
| Port |
8080 |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Apache Tomcat server has a directory/file disclosure vulnerability.
Tomcat is a JSP/Servlet implementation developed at the Apache Software Foundation. Tomcat versions 3.3.1 and earlier contain some security vulnerabilities that allow a remote user to retrieve listings of directories despite index.html or index.jsp files. It is also possible to retrieve contents of files and directories that should not be visible to outside.
This vulnerability is due to improper handling of null bytes (%00) and backslash ('\') characters in requests for web resources. You can test this vulnerability as issuing the following URL using your web browser:
http://target_host:8080/%00.jsp
* Platforms Affected:
Apache Tomcat versions 3.3.1 and earlier
* References:
http://online.securityfocus.com/bid/6721
http://www.securiteam.com/unixfocus/5DP14008UA.html |
| Recommendation |
Upgrade to the latest version (3.3.1a or later) of the Apache Tomcat, available from http://jakarta.apache.org/builds/jakarta-tomcat/release/ |
| Related URL |
CVE-2003-0042 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
