Tutorial - Apache Tomcat Vulnerabilities

Apache Tomcat Vulnerabilities

Updated 3/20/03
CAN 2003-0042
CAN 2003-0043
CAN 2003-0044

Impact

A remote attacker could view directory listings, view source code of JSP files, or gain read access to files which are normally inaccessible.

Background

Apache Tomcat is an open source Java servlet container which can run as a standalone server or with an Apache web server.

The Problem

2/10/03
CAN 2003-0042
Tomcat's built-in web server does not filter null bytes from URL requests. Null bytes are treated as the end of a string. Therefore, the web server can be tricked into serving a file as if it were a different file type. For example, requesting:

/<00>.jsp

(where <00> is a null byte) would retrieve the directory listing of the / (web root) directory. Normally, an index page such as index.html would be shown instead of revealing the directory listing, but in this case the server is tricked into treating the URL as a JSP file, thus bypassing the usual behavior and revealing the directory.

Variations of this attack could result in remote read access to files which are normally inaccessible, and JSP source code disclosure. Tomcat 3.3.1 and earlier are affected by this vulnerability.

3/20/03
CAN 2003-0043
CAN 2003-0044
Tomcat 3.3.1 and earlier are also affected by two other vulnerabilities, one which could allow an attacker to read certain files outside of a web application via the web.xml file, and another which could allow cross-site scripting in a sample web application.

Note: This tutorial only includes vulnerabilities specifically inherent to the Apache Tomcat engine. Other vulnerabilities which may affect Tomcat are described in other tutorials such as http cgi info and Cross site scripting.

Resolutions

Upgrade to Tomcat 3.3.1a or any higher version.

Where can I read more about this?

For further details, see VulnWatch, Debian Security Advisory 246, and CIAC Bulletin N-060.