Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Apache Tomcat web.xml file disclosure

Apache Tomcat web.xml file disclosure

by Nikola Strahija on March 26th, 2003 When used with JDK 1.3.1 and earlier Apache Tomcat 3.0 to 3.3.1 is vulnerable to a file content disclosure.


Malicious web applications may read the content of some files.
It is possible to create such a malicious "web.xml" file which is capable of reading parts of files that can be read as an XML document

Vulnerable:
Apache Software Foundation Tomcat versions 3.0 to 3.3.1


Not vulnerable:
Apache Software Foundation Tomcat 3.3.1a


Solution:
Fixes and patches are available:
HP and Debian users should follow the references in the sources tag
below.

Apache Software Foundation Tomcat versions 3.0 to 3.3.1:
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/


Sources:
HP advisory HPSBUX0303-249:
http://www.xatrix.org/article2813.html

Debian advisory DSA 246-1:
http://www.xatrix.org/article2609.html


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »