Home » Hacking News » Apache Tomcat web.xml file disclosure

Apache Tomcat web.xml file disclosure

by Nikola Strahija on March 26th, 2003 When used with JDK 1.3.1 and earlier Apache Tomcat 3.0 to 3.3.1 is vulnerable to a file content disclosure.

Malicious web applications may read the content of some files.
It is possible to create such a malicious "web.xml" file which is capable of reading parts of files that can be read as an XML document

Vulnerable:
Apache Software Foundation Tomcat versions 3.0 to 3.3.1


Not vulnerable:
Apache Software Foundation Tomcat 3.3.1a


Solution:
Fixes and patches are available:
HP and Debian users should follow the references in the sources tag
below.

Apache Software Foundation Tomcat versions 3.0 to 3.3.1:
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/


Sources:
HP advisory HPSBUX0303-249:
http://www.xatrix.org/article2813.html

Debian advisory DSA 246-1:
http://www.xatrix.org/article2609.html

From the forum

The forums are now OPEN AGAIN!

Xatrix.org © Copyright 2001-2016, Xatrix Security . All Rights Reserved
There are a thousand hacking at the branches of evil to one who is striking at the root. - Henry David Thoreau