Vulnerabilities > CVE-2002-1148 - Unspecified vulnerability in Apache Tomcat
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
Vulnerable Configurations
Exploit-Db
description | Apache Tomcat 3/4 DefaultServlet File Disclosure Vulnerability. CVE-2002-1148. Remote exploit for unix platform |
id | EDB-ID:21853 |
last seen | 2016-02-02 |
modified | 2002-09-24 |
published | 2002-09-24 |
reporter | Rossen Raykov |
source | https://www.exploit-db.com/download/21853/ |
title | Apache Tomcat 3/4 - DefaultServlet File Disclosure Vulnerability |
Nessus
NASL family CGI abuses NASL id TOMCAT_SOURCE_EXPOSURE.NASL description The version of Apache Tomcat running on the remote host is affected by an information disclosure vulnerability. It is possible to view source code using the default servlet : org.apache.catalina.servlets.DefaultServlet A remote attacker can exploit this information to mount further attacks. This version of Tomcat reportedly affected by additional vulnerabilities; however, Nessus has not checked for them. last seen 2020-06-01 modified 2020-06-02 plugin id 11176 published 2002-11-28 reporter This script is Copyright (C) 2002-2019 Felix Huber source https://www.tenable.com/plugins/nessus/11176 title Apache Tomcat Catalina org.apache.catalina.servlets.DefaultServlet Source Code Disclosure code # # This script was written by Felix Huber <[email protected]> # # v. 1.00 (last update 24.09.02) # # # Changes by Tenable: # - removed un-necessary requests # - revised plugin title (4/7/2009) include("compat.inc"); if (description) { script_id(11176); script_version("1.32"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2002-1148", "CVE-2002-1394"); script_bugtraq_id(5786, 6562); script_name(english:"Apache Tomcat Catalina org.apache.catalina.servlets.DefaultServlet Source Code Disclosure"); script_summary(english:"Tomcat 4.x JSP source exposure."); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an information disclosure vulnerability."); script_set_attribute( attribute:"description", value: "The version of Apache Tomcat running on the remote host is affected by an information disclosure vulnerability. It is possible to view source code using the default servlet : org.apache.catalina.servlets.DefaultServlet A remote attacker can exploit this information to mount further attacks. This version of Tomcat reportedly affected by additional vulnerabilities; however, Nessus has not checked for them." ); script_set_attribute( attribute:"solution", value:"Upgrade to the latest version of this software." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2002/11/28"); script_set_attribute(attribute:"plugin_type", value: "remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2020 Felix Huber"); script_family(english:"CGI abuses"); script_dependencies("tomcat_error_version.nasl"); script_require_ports("Services/www", 8080); script_require_keys("installed_sw/Apache Tomcat"); exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); function check(sfx, port) { local_var url, req, r; url = string("/servlet/org.apache.catalina.servlets.DefaultServlet", sfx); req = http_get(item:url, port:port); r = http_keepalive_send_recv(port:port, data:req); if( r == NULL ) exit(0); if("<%@" >< r){ security_warning(port); exit(0); } if(" 200 OK" >< r) { if("Server: Apache Tomcat/4." >< r) { security_warning(port); exit(0); } } } port = get_http_port(default:8080, embedded:TRUE); if(!get_port_state(port))exit(0); files = get_kb_list(string("www/",port, "/content/extensions/jsp")); if(!isnull(files)) { files = make_list(files); file = files[0]; } else file = "/index.jsp"; check(sfx:file, port:port);
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-225.NASL description A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases, which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by a security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was identified as CAN-2002-1148. last seen 2020-06-01 modified 2020-06-02 plugin id 15062 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15062 title Debian DSA-225-1 : tomcat4 - source disclosure code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-225. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15062); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-1394"); script_xref(name:"DSA", value:"225"); script_name(english:"Debian DSA-225-1 : tomcat4 - source disclosure"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases, which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by a security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was identified as CAN-2002-1148." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-225" ); script_set_attribute( attribute:"solution", value: "Upgrade the tomcat packages. For the current stable distribution (woody) this problem has been fixed in version 4.0.3-3woody2. The old stable distribution (potato) does not contain tomcat packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/01/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libtomcat4-java", reference:"4.0.3-3woody2")) flag++; if (deb_check(release:"3.0", prefix:"tomcat4", reference:"4.0.3-3woody2")) flag++; if (deb_check(release:"3.0", prefix:"tomcat4-webapps", reference:"4.0.3-3woody2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-170.NASL description A security vulnerability has been found in all Tomcat 4.x releases. This problem allows an attacker to use a specially crafted URL to return the unprocessed source code of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraints, without the need for being properly authenticated. last seen 2020-06-01 modified 2020-06-02 plugin id 15007 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15007 title Debian DSA-170-1 : tomcat4 - source code disclosure code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-170. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15007); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-1148"); script_bugtraq_id(5786); script_xref(name:"DSA", value:"170"); script_name(english:"Debian DSA-170-1 : tomcat4 - source code disclosure"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A security vulnerability has been found in all Tomcat 4.x releases. This problem allows an attacker to use a specially crafted URL to return the unprocessed source code of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraints, without the need for being properly authenticated." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-170" ); script_set_attribute( attribute:"solution", value: "Upgrade the tomcat package immediately. This problem has been fixed in version 4.0.3-3woody1 for the current stable distribution (woody) and in version 4.1.12-1 for the unstable release (sid). The old stable release (potato) does not contain tomcat packages. Also, packages for tomcat3 are not vulnerable to this problem." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/10/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libtomcat4-java", reference:"4.0.3-3woody1")) flag++; if (deb_check(release:"3.0", prefix:"tomcat4", reference:"4.0.3-3woody1")) flag++; if (deb_check(release:"3.0", prefix:"tomcat4-webapps", reference:"4.0.3-3woody1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
advisories |
|
References
- http://www.securityfocus.com/bid/5786
- http://www.iss.net/security_center/static/10175.php
- http://www.debian.org/security/2002/dsa-170
- http://online.securityfocus.com/advisories/4758
- http://www.redhat.com/support/errata/RHSA-2002-217.html
- http://www.redhat.com/support/errata/RHSA-2002-218.html
- http://marc.info/?l=bugtraq&m=103288242014253&w=2
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E