Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Tomcat real path disclosure

Tomcat real path disclosure

by Nikola Strahija on April 23rd, 2002 CHINANSL Security team discovered that there is a security problem in the condition of Tomcat web serve’s default installation. The customer can acquire the real path of Tomcat’s installation in the system by the two “servlet” documents which are installed by default. Therefore, more information is provided to the hacker’s attacks.


An “examples” directory, existing in the default
installed Tomcat, includes some examples of “JSP”
and “Servlet” that are provided by Tomcat for the
customers. The attacker can gain much information
(such as: the type of operating system, Tomcat’s
installation directory )from two of the documents
(SnoopServlet、TroubleShooter)
Note: we can’t find the two links of “SnoopServle”
and “TroubleShooter” when we access
http://localhost:8080/examples/servlets/index.html

Exploit:
http://localhost:8080/examples/servlet/SnoopServlet
http://localhost:8080/examples/servlet/TroubleShooter
All of these can gain the real installed directory of
TOMCAT

Solution::
Please delete the two documents
(SnoopServlet.class、TroubleShooter.class)in the
directory
of “TOMCAT_HOMEwebappsexamplesWEB-
INFclasses”

Reference:
This security advisory comes from CHINANSL
TECHNOLOGY CO.,LTD. It can be transshipped. But
please guarantee the completion of the article,
otherwise we will pursue the rights of the law.
www.chinansl.com
[email protected]





Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »