Users login

Create an account »


Users login

Home » Hacking News » 'WEB-INF' Folder accessible in Multiple Web Application Servers

'WEB-INF' Folder accessible in Multiple Web Application Servers

by Nikola Strahija on June 28th, 2002 This vulnerability affects the Win32 versions of multiple j2ee servlet containers / application servers. By making a particular request to the servers in question it is possible to retrieve files located under the 'WEB-INF' directory.


A web application ('web app') is a collection of servlets, Java Server
Pages, HTML docs, images etc etc that are packaged in such a way that
they can be portably deployed on any servlet-enabled web server.

Applications are typically packaged in .WAR files. There is a standard
structure for these files which looks something like:


This can then be deployed to the application server. The WEB-INF directory
is 'special'; anything under it is not to be served directly to web clients
as it contains Java class files (for servlets etc) and configuration
information for the web application. Hence, when an application server
receives any requests for /WEB-INF/ it will usually return a '403 forbidden'
or even a '404 Not Found' HTTP error.

The web.xml file which resides in WEB-INF is what is called a
'deployment descriptor' and contains detailed information about the web
application, e.g.: URL mappings, servlet registration details, welcome
files, MIME types, page-level security constraints...

A vulnerability exists in multiple Win32 servlet engines whereby if you
append a dot ('.') to the end of WEB-INF in the requested URL, it is possible
to retrieve the contents of any files within that directory.

It is possible to download the .java and .class files for a given application,
and access web.xml and other configuration files, and in some cases client
session information.

For example:


This vulnerability is Win32 specific because of a quirk in the way the Windows
file system operates. Basically, the file system ignores a trailing '.' character
on a given path or filename.

Vulnerable Products
Sybase EA Server 4.0 ( )
OC4J - Oracle Containers for J2EE ( )
Orion 1.5.3 - ( ).
JRun 3.0, 3.1 and JRun 4 - Macromedia / Allaire JRun ( )
HPAS 8.0 - Hewlett Packard App Server ( )
Pramati 3.0 - Pramati App Server ( )
Jo - Jo Webserver ( or )

Patch Information:

Sybase EA Server
Upgrade to EAServer 4.1 (also fixed in maintenane release for 3.6.1)

OC4J - Oracle Containers for J2EE
Fixed in the latest version of OC4J / 9iAS. Download OC4J v9.0.2 from:

Note: Two previous versions (v1. and v1.0.2.2 are
still available from this page, both of which still have this
vulnerability (as of 28/06/02). If you are using either of
these versions you should upgrade.

Vulnerable developer preview was available for download from . This download
has now been fixed.

Orion Server
Fixed in version 1.5.4

JRun 3.0,3.1, 4.0
Vendor contacted 31/1/02.
Bug confirmed in 3.1 by vendor on 06/02/02.
Vendor Alert:
Cumulative Patch available for JRun 3.0, 3.1 / 4.0

HPAS 8.0
Vendor contacted 07/02/02, bug confirmed by vendor on same day. Will be fixed
in Maintenance Pack 8 (MP8)

Pramati App Server
Vendor contacted on 04/02/02. Fixes will be available in Service Pack 1.

Jo Webserver
Fixed in version 1.0b7 and later.

Additional Information

A Nessus plugin for this vulnerability should shortly be available from


This advisory is available online at:

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »