bugtraq id:
object:
class:Input Validation Error
cve:
remote: Yes
local: Yes
published Apr 16, 2002
updated Apr 16, 2002
vulnerable: Tomcat 4.1
not vulnerable:
disscussion:
CHINANSL Security Team found a security problem
at the usage of Tomcat 4.1 WEB server. When the
customer inputs a special URL, he can acquire the
real path of Tomcat 4.1 in the system, providing more
information for hacker’s attacks.
CHINANSL Security Team analyzed this vulnerability,
discovered that there are some problems in Tomcat
4.1 handling the URL request. If the customer
submits “http:// target/ a/ index.jsp”, Tomcat 4.1 will
establish “a” directory under “work” directory at fist.
After this, Tomcat will find “index.jsp” in the WEB
matching directory and compile it to “index$jsp.java”.
Then, Tomcat will output results. But there is a
problem in this process: Tomcat 4.1 will output the
real path if the customer’s request can’t be created
as a directory.For example: http://target/>/index.jsp
“>”can’t be set up as a directory under the Window
system. Therefore, the above problem appears.
exploit:
Example 1:http://tomcat4.1/+/index.jsp
Example 2:http://tomcat4.1/>/index.jsp
Example 3:http://tomcat4.1/%20/index.jsp
Example 4:http://tomcat4.1/</index.jsp
All of these can gain the real installed directory of
TOMCAT 4.1
solution:
We should first check whether there is a catalogue
matching the customer request document in the
WEB catalogue, then, we can set up a matching
catalogue and “.java” document in “work ”catalogue.
“S-WEB2.0”which is developed by Chinansl can
solve this problem.
Copyright 2001-2002 CHINANSL. All Rights
Reserved.
credit:
This security advisory comes from CHINANSL
TECHNOLOGY CO.,LTD. It can be transshipped. But
please guarantee the completion of the article,
otherwise we will pursue the rights of the law.
www.chinansl.com
[EMAIL PROTECTED]
reference:
CHINANSL Security Team
[EMAIL PROTECTED]
CHINANSL TECHNOLOGY CO.,LTD
http://www.chinansl.com