lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.33.0301301253330.2585-100000@lissu.solutions.fi>
From: jouko at solutions.fi (Jouko Pynnonen)
Subject: Apache Jakarta Tomcat 3 URL parsing vulnerability



OVERVIEW
========

Tomcat is a JSP/Servlet implementation developed at the Apache Software 
Foundation. Tomcat versions 3.3.1 and earlier contain some security 
vulnerabilities which allow a remote user to retrieve listings of  
directories despite index.html or index.jsp files. It is also possible 
to retrieve contents of files and directories that shouldn't be visible to 
outside.



DETAILS
=======

Certain kinds of HTTP requests containing binary null or backslash 
characters are parsed incorrectly by Tomcat's built-in web server. The 
following GET request causes Tomcat to output the directory listing of 
the web root under default installation:

GET /<null byte>.jsp HTTP/1.0

The following UNIX command can be issued to test the vulnerability:

$ perl -e 'print "GET /\x00.jsp HTTP/1.0\r\n\r\n";' | nc my.server 8080

If your server is vulnerable, the command will output a HTTP header and 
the directory listing even if there's an index file present. Furthermore, 
a backslash can be used in the following way to get information from 
otherwise inaccessible directories:

$ perl -e 'print "GET /admin/WEB-INF\\classes/ContextAdmin.java\x00.jsp HTTP/1.0\r\n\r\n";'|nc my.server 8080

This will output the contents of ContextAdmin.java.

The servlet engine interprets the directory listing and any file 
retrieved in this way as a JSP page, which might be exploited to run 
arbitrary Java code under some imaginable scenarios. If the attacker can 
create a file whose name contains JSP tags somewhere under the web root, 
the code would be run when the directory listing is fetched in the way 
described above. Similarly Java code embedded in *.html or any other file 
can be compiled and run by an attacker.



SOLUTION
========

The vendor was informed on January 10, 2003. A new version of Tomcat 
addressing this problem has been released. The fixed version 3.3.1a and 
additional information is available at

  http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

According to the vendor, the problem only affects Tomcat used with JDK 
1.3.1 or earlier.



CREDITS
=======

The vulnerability was discovered by Jouko Pynn?nen of Online Solutions 
Ltd, Finland.



-- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
jouko@...utions.fi      http://www.solutions.fi    http://www.secmod.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ