‘Apache Jakarta Tomcat 3 URL Parsing Vulnerability’

Summary

‘Tomcat is a JSP/Servlet implementation developed at the Apache Software Foundation. Tomcat versions 3.3.1 and earlier contain some security vulnerabilities that allow a remote user to retrieve listings of directories despite index.html or index.jsp files. It is also possible to retrieve contents of files and directories that should not be visible to outside.’

Credit:

‘The information has been provided by Jouko Pynnonen.’


Details

Vulnerable systems:
 * Tomcat versions 3.3.1 and earlier

Immune systems:
 * Tomcat version 3.3.1a

Certain kinds of HTTP requests containing binary null or backslash characters are parsed incorrectly by Tomcat’s built-in web server. The following GET request causes Tomcat to output the directory listing of the web root under default installation:
GET /<null byte>.jsp HTTP/1.0

The following UNIX command can be issued to test the vulnerability:
$ perl -e ‘print ‘GET /x00.jsp HTTP/1.0rnrn’;’ | nc my.server 8080

If your server is vulnerable, the command will output a HTTP header and the directory listing even if there’s an index file present. Furthermore, a backslash can be used in the following way to get information from otherwise inaccessible directories:
$ perl -e ‘print ‘GET /admin/WEB-INF\classes/ContextAdmin.javax00.jsp HTTP/1.0rnrn’;’|nc my.server 8080

This will output the contents of ContextAdmin.java.

The servlet engine interprets the directory listing and any file retrieved in this way as a JSP page, which might be exploited to run arbitrary Java code under some imaginable scenarios. If the attacker can create a file whose name contains JSP tags somewhere under the web root, the code would be run when the directory listing is fetched in the way described above. Similarly Java code embedded in *.html or any other file can be compiled and run by an attacker.

Solution:
The vendor was informed on January 10, 2003. A new version of Tomcat addressing this problem has been released. The fixed version 3.3.1a and additional information is available at http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

According to the vendor, the problem only affects Tomcat used with JDK 1.3.1 or earlier.’

Categories: UNIX