Vulnerabilities > CVE-2002-2006 - Unspecified vulnerability in Apache Tomcat

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apache
nessus
exploit available

Summary

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.

Exploit-Db

descriptionApache Tomcat 4.0/4.1 Servlet Path Disclosure Vulnerability. CVE-2002-2006. Remote exploit for unix platform
idEDB-ID:21412
last seen2016-02-02
modified2002-04-23
published2002-04-23
reporterCHINANSL Security Team
sourcehttps://www.exploit-db.com/download/21412/
titleApache Tomcat 4.0/4.1 - Servlet Path Disclosure Vulnerability

Nessus

  • NASL familyWeb Servers
    NASL idTOMCAT_4_1_0.NASL
    descriptionAccording to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is prior to 4.1.0. It is, therefore, affected by multiple vulnerabilities : - An error exists in the handling of malformed packets that can cause the processing thread to become unresponsive. A sequence of such requests can cause all threads to become unresponsive. (CVE-2003-0866) - Two example servlets,
    last seen2020-03-18
    modified2010-11-04
    plugin id50475
    published2010-11-04
    reporterThis script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50475
    titleApache Tomcat 4.x < 4.1.0 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50475);
      script_version("1.18");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/11");
    
      script_cve_id("CVE-2003-0866", "CVE-2002-2006");
      script_bugtraq_id(4575, 5542, 8824);
    
      script_name(english:"Apache Tomcat 4.x < 4.1.0 Multiple Vulnerabilities");
      script_summary(english:"Checks the Apache Tomcat version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Apache Tomcat server is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the instance of Apache
    Tomcat 4.x listening on the remote host is prior to 4.1.0. It is,
    therefore, affected by multiple vulnerabilities :
    
      - An error exists in the handling of malformed packets
        that can cause the processing thread to become
        unresponsive. A sequence of such requests can cause all
        threads to become unresponsive. (CVE-2003-0866)
    
      - Two example servlets, 'snoop' and a troubleshooting
        servlet, disclose the Apache Tomcat installation path.
        (CVE-2002-2006)
    
      - It has also been reported that this version of Tomcat
        is affected by a cross-site scripting vulnerability.
        The contents of a request URL are not sanitized before
        being returned to the browser should an error occur.
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.0");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Apr/322");
      script_set_attribute(attribute:"solution", value:"Upgrade to Apache Tomcat version 4.1.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0866");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/04/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2002/08/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/04");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
      script_set_attribute(attribute:"agent", value:"all");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
      script_require_keys("installed_sw/Apache Tomcat");
    
      exit(0);
    }
    
    include("tomcat_version.inc");
    
    tomcat_check_version(fixed:"4.1.0", min:"4.0.0", severity:SECURITY_WARNING, xss:TRUE, granularity_regex:"^4$");
    
    
  • NASL familyCGI abuses
    NASL idAPACHE_TOMCAT_TROUBLESHOOTER.NASL
    descriptionThe default installation of Apache Tomcat includes various sample JSP pages and servlets. One of these, the
    last seen2020-06-01
    modified2020-06-02
    plugin id11046
    published2002-07-15
    reporterThis script is Copyright (C) 2002-2018 Matt Moore
    sourcehttps://www.tenable.com/plugins/nessus/11046
    titleApache Tomcat TroubleShooter Servlet Information Disclosure
    code
    #
    # This script was written by Matt Moore <[email protected]>
    #
    # Script audit and contributions from Carmichael Security
    #      Erik Anderson <[email protected]>
    #      Added BugtraqID
    #
    # See the Nessus Scripts License for details
    #
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11046);
     script_version("1.39");
     script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
     script_cve_id("CVE-2002-2006");
     script_bugtraq_id(4575);
    
     script_name(english:"Apache Tomcat TroubleShooter Servlet Information Disclosure");
     script_summary(english:"Tests whether the Apache Tomcat TroubleShooter Servlet is installed");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by a path disclosure issue.");
     script_set_attribute(attribute:"description", value:
    "The default installation of Apache Tomcat includes various sample JSP
    pages and servlets.  One of these, the 'TroubleShooter' servlet,
    discloses Tomcat's installation directory when accessed directly.");
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Apr/322");
     script_set_attribute(attribute:"solution", value:
    "Example files should not be left on production servers.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2002/04/22");
     script_set_attribute(attribute:"plugin_publication_date", value:"2002/07/15");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe",value:"cpe:/a:apache:tomcat");
     script_end_attributes();
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2002-2020 Matt Moore");
     script_family(english:"CGI abuses");
    
     script_dependencie("find_service1.nasl","http_version.nasl");
     script_exclude_keys("Settings/disable_cgi_scanning");
     script_require_keys("www/tomcat");
     script_require_ports("Services/www", 80, 8080);
     exit(0);
    }
    
    # Check starts here
    
    include("global_settings.inc");
    include("http_func.inc");
    include("http_keepalive.inc");
    include("misc_func.inc");
    
    port = get_http_port(default:80, embedded:TRUE);
    if (!port) exit(0, "No web servers were found");
    if(!get_port_state(port)) exit(0, "Port "+port+" is not open.");
    
    banner = get_http_banner(port: port);
    if (!banner) exit(1, "Failed to get the banner from the web server listening on port "+port+".");
    if ("Tomcat" >!< banner && "Apache-Coyote" >!< banner)
      exit (0, "The web server listening on port "+port+" is not Tomcat.");
    
    url = "/examples/servlet/TroubleShooter";
    req = http_get(item:url, port:port);
    r =   http_keepalive_send_recv(port:port, data:req);
    confirmed = string("TroubleShooter Servlet Output"); 
    confirmed_too = string("hiddenValue");
    if ((confirmed >< r) && (confirmed_too >< r)) 	
    {
      if (report_verbosity > 0)
      {
        report = string(
          "\n",
          "The 'TroubleShooter' servlet is accessible as :\n",
          "\n",
          "  ", build_url(port:port, qs:url), "\n"
        );
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
    }
    else exit(0, "The web server listening on port "+port+" is not affected.");