Vulnerabilities > CVE-2002-2006 - Unspecified vulnerability in Apache Tomcat
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 14 |
Exploit-Db
description | Apache Tomcat 4.0/4.1 Servlet Path Disclosure Vulnerability. CVE-2002-2006. Remote exploit for unix platform |
id | EDB-ID:21412 |
last seen | 2016-02-02 |
modified | 2002-04-23 |
published | 2002-04-23 |
reporter | CHINANSL Security Team |
source | https://www.exploit-db.com/download/21412/ |
title | Apache Tomcat 4.0/4.1 - Servlet Path Disclosure Vulnerability |
Nessus
NASL family Web Servers NASL id TOMCAT_4_1_0.NASL description According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is prior to 4.1.0. It is, therefore, affected by multiple vulnerabilities : - An error exists in the handling of malformed packets that can cause the processing thread to become unresponsive. A sequence of such requests can cause all threads to become unresponsive. (CVE-2003-0866) - Two example servlets, last seen 2020-03-18 modified 2010-11-04 plugin id 50475 published 2010-11-04 reporter This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50475 title Apache Tomcat 4.x < 4.1.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50475); script_version("1.18"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/11"); script_cve_id("CVE-2003-0866", "CVE-2002-2006"); script_bugtraq_id(4575, 5542, 8824); script_name(english:"Apache Tomcat 4.x < 4.1.0 Multiple Vulnerabilities"); script_summary(english:"Checks the Apache Tomcat version."); script_set_attribute(attribute:"synopsis", value: "The remote Apache Tomcat server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is prior to 4.1.0. It is, therefore, affected by multiple vulnerabilities : - An error exists in the handling of malformed packets that can cause the processing thread to become unresponsive. A sequence of such requests can cause all threads to become unresponsive. (CVE-2003-0866) - Two example servlets, 'snoop' and a troubleshooting servlet, disclose the Apache Tomcat installation path. (CVE-2002-2006) - It has also been reported that this version of Tomcat is affected by a cross-site scripting vulnerability. The contents of a request URL are not sanitized before being returned to the browser should an error occur. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.0"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Apr/322"); script_set_attribute(attribute:"solution", value:"Upgrade to Apache Tomcat version 4.1.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0866"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2002/04/22"); script_set_attribute(attribute:"patch_publication_date", value:"2002/08/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/04"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin"); script_require_keys("installed_sw/Apache Tomcat"); exit(0); } include("tomcat_version.inc"); tomcat_check_version(fixed:"4.1.0", min:"4.0.0", severity:SECURITY_WARNING, xss:TRUE, granularity_regex:"^4$");
NASL family CGI abuses NASL id APACHE_TOMCAT_TROUBLESHOOTER.NASL description The default installation of Apache Tomcat includes various sample JSP pages and servlets. One of these, the last seen 2020-06-01 modified 2020-06-02 plugin id 11046 published 2002-07-15 reporter This script is Copyright (C) 2002-2018 Matt Moore source https://www.tenable.com/plugins/nessus/11046 title Apache Tomcat TroubleShooter Servlet Information Disclosure code # # This script was written by Matt Moore <[email protected]> # # Script audit and contributions from Carmichael Security # Erik Anderson <[email protected]> # Added BugtraqID # # See the Nessus Scripts License for details # include("compat.inc"); if(description) { script_id(11046); script_version("1.39"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2002-2006"); script_bugtraq_id(4575); script_name(english:"Apache Tomcat TroubleShooter Servlet Information Disclosure"); script_summary(english:"Tests whether the Apache Tomcat TroubleShooter Servlet is installed"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by a path disclosure issue."); script_set_attribute(attribute:"description", value: "The default installation of Apache Tomcat includes various sample JSP pages and servlets. One of these, the 'TroubleShooter' servlet, discloses Tomcat's installation directory when accessed directly."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Apr/322"); script_set_attribute(attribute:"solution", value: "Example files should not be left on production servers."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/04/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2002/07/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:apache:tomcat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2020 Matt Moore"); script_family(english:"CGI abuses"); script_dependencie("find_service1.nasl","http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("www/tomcat"); script_require_ports("Services/www", 80, 8080); exit(0); } # Check starts here include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); include("misc_func.inc"); port = get_http_port(default:80, embedded:TRUE); if (!port) exit(0, "No web servers were found"); if(!get_port_state(port)) exit(0, "Port "+port+" is not open."); banner = get_http_banner(port: port); if (!banner) exit(1, "Failed to get the banner from the web server listening on port "+port+"."); if ("Tomcat" >!< banner && "Apache-Coyote" >!< banner) exit (0, "The web server listening on port "+port+" is not Tomcat."); url = "/examples/servlet/TroubleShooter"; req = http_get(item:url, port:port); r = http_keepalive_send_recv(port:port, data:req); confirmed = string("TroubleShooter Servlet Output"); confirmed_too = string("hiddenValue"); if ((confirmed >< r) && (confirmed_too >< r)) { if (report_verbosity > 0) { report = string( "\n", "The 'TroubleShooter' servlet is accessible as :\n", "\n", " ", build_url(port:port, qs:url), "\n" ); security_warning(port:port, extra:report); } else security_warning(port); } else exit(0, "The web server listening on port "+port+" is not affected.");
References
- http://archives.neohapsis.com/archives/bugtraq/2002-04/0311.html
- http://www.securityfocus.com/bid/4575
- http://www.iss.net/security_center/static/8932.php
- http://tomcat.apache.org/security-4.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
- http://secunia.com/advisories/30908
- http://secunia.com/advisories/30899
- http://www.vupen.com/english/advisories/2008/1979/references
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E