3.2.4

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

apache

nessus

exploit available

NVD

Published: 2002-12-31

Updated: 2008-09-05

Summary

The default installations of Apache Tomcat 3.2.3 and 3.2.4 allows remote attackers to obtain sensitive system information such as directory listings and web root path, via erroneous HTTP requests for Java Server Pages (JSP) in the (1) test/jsp, (2) samples/jsp and (3) examples/jsp directories, or the (4) test/realPath.jsp servlet, which leaks pathnames in error messages.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Tomcat 3.2.3 Apache Tomcat 3.2.4	2

Exploit-Db

description	Apache Tomcat 3.2.3/3.2.4 RealPath.JSP Malformed Request Information Disclosure. CVE-2002-2007. Remote exploits for multiple platform
id	EDB-ID:21492
last seen	2016-02-02
modified	2002-05-29
published	2002-05-29
reporter	Richard Brain
source	https://www.exploit-db.com/download/21492/
title	Apache Tomcat 3.2.3/3.2.4 - RealPath.JSP Malformed Request Information Disclosure

description	Apache Tomcat 3.2.3/3.2.4 Example Files Web Root Path Disclosure. CVE-2002-2007. Remote exploits for multiple platform
id	EDB-ID:21491
last seen	2016-02-02
modified	2002-05-29
published	2002-05-29
reporter	Richard Brain
source	https://www.exploit-db.com/download/21491/
title	Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Path Disclosure

description	Apache Tomcat 3.2.3/3.2.4 Source.JSP Malformed Request Information Disclosure. CVE-2002-2007. Remote exploits for multiple platform
id	EDB-ID:21490
last seen	2016-02-02
modified	2002-05-29
published	2002-05-29
reporter	Richard Brain
source	https://www.exploit-db.com/download/21490/
title	Apache Tomcat 3.2.3/3.2.4 - Source.JSP Malformed Request Information Disclosure

Nessus

NASL family	Web Servers
NASL id	TOMCAT_EXAMPLES_WEBROOT_DISCLOSURE.NASL
description	The instance of Apache Tomcat listening on the remote host is affected by an information disclosure vulnerability. An attacker is able to determine the Tomcat application
last seen	2020-06-01
modified	2020-06-02
plugin id	50688
published	2010-11-23
reporter	This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/50688
title	Apache Tomcat Examples Web Root Path Disclosure
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50688); script_version("1.12"); script_cvs_date("Date: 2018/08/01 17:36:15"); script_cve_id("CVE-2002-2007"); script_bugtraq_id(4877, 4878); script_name(english:"Apache Tomcat Examples Web Root Path Disclosure"); script_summary(english:"Checks Apache Tomcat Information Disclosure."); script_set_attribute( attribute:"synopsis", value: "The remote Apache Tomcat server is affected by an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The instance of Apache Tomcat listening on the remote host is affected by an information disclosure vulnerability. An attacker is able to determine the Tomcat application's web root path by requesting any one of numerous example files." ); script_set_attribute(attribute:"see_also", value:"http://tomcat.apache.org/security-3.html#Fixed_in_Apache_Tomcat_3.3a"); script_set_attribute(attribute:"solution", value:"Upgrade to 3.3a or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/05/29"); script_set_attribute(attribute:"patch_publication_date", value:"2002/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("tomcat_error_version.nasl"); script_require_ports("Services/www", 8080); script_require_keys("installed_sw/Apache Tomcat"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("webapp_func.inc"); include("http.inc"); get_install_count(app_name:"Apache Tomcat", exit_if_zero:TRUE); port = get_http_port(default:8080); install = get_single_install(app_name:"Apache Tomcat", port:port); vuln_urls = make_list(); test_urls = make_list( 'test/jsp/pageInfo.jsp', 'test/jsp/pageImport2.jsp', 'test/jsp/buffer1.jsp', 'test/jsp/buffer2.jsp', 'test/jsp/buffer3.jsp', 'test/jsp/buffer4.jsp', 'test/jsp/comments.jsp', 'test/jsp/extends1.jsp', 'test/jsp/extends2.jsp', 'test/jsp/pageAutoFlush.jsp', 'test/jsp/pageDouble.jsp', 'test/jsp/pageExtends.jsp', 'test/jsp/pageImport2.jsp', 'test/jsp/pageInfo.jsp', 'test/jsp/pageInvalid.jsp', 'test/jsp/pageIsErrorPage.jsp', 'test/jsp/pageIsThreadSafe.jsp', 'test/jsp/pageLanguage.jsp', 'test/jsp/pageSession.jsp', 'test/jsp/declaration/IntegerOverflow.jsp', 'test/realPath.jsp' ); vuln_pat1 = "(\n\|The real path is )([A-Z]:\\.\|\/.)([\/\\]work[\/\\]localhost_8080\|[\/\\]webapps[\/\\]test[\/\\]test[\/\\]realPath.jsp)"; vuln_pat2 = "(\n)<h2>Location:.</h2><b>Internal Servlet Error:</b><br><pre>org\.apache\.jasper\.compiler\.CompileException: ([A-Z]:\\.\|\/.)webapps[\/\\]test[\/\\].\.jsp\([0-9],[0-9]\)"; foreach url (test_urls) { r = http_send_recv3( port : port, method : 'GET', item : '/'+url, fetch404 : TRUE, exit_on_fail : TRUE ); matches = eregmatch(pattern:vuln_pat1, string:r[2]); if (!matches) matches = eregmatch(pattern:vuln_pat2, string:r[2]); if (!isnull(matches[2])) { vuln_urls = make_list(vuln_urls, url); web_root = matches[2]; } if (!thorough_tests) break; } if (max_index(vuln_urls) > 0) { if (report_verbosity > 0) { header = "Nessus was able to obtain the remote Tomcat web root path : " + '\n\n' + web_root + '\n\n' + 'The install path was obtained using the following URL'; report = get_vuln_report(port:port, items:vuln_urls, header:header); security_warning(port:port, extra:report); } else security_warning(port); } else exit(0, "The Tomcat server listening on port " + port + " is not affected.");

NASL family	CGI abuses
NASL id	TOMCAT_SRCJSP_MALFORMED_REQUEST.NASL
description	The source.jsp page, distributed with Apache Tomcat, discloses information when given a specially crafted query string. This can reveal information such as the web root path and directory listings. A remote attacker exploit this information to mount further attacks.
last seen	2020-06-01
modified	2020-06-02
plugin id	12123
published	2004-03-31
reporter	This script is Copyright (C) 2004-2019 David Kyger
source	https://www.tenable.com/plugins/nessus/12123
title	Apache Tomcat source.jsp Arbitrary Directory Listing
code	# # This script was written by David Kyger <[email protected]> # # See the Nessus Scripts License for details # include("compat.inc"); if (description) { script_id(12123); script_version("1.19"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2002-2007"); script_bugtraq_id(4876); script_xref(name:"CERT", value:"116963"); script_name(english:"Apache Tomcat source.jsp Arbitrary Directory Listing"); script_summary(english:"Checks for the Tomcat source.jsp malformed request vulnerability."); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an information disclosure vulnerability."); script_set_attribute( attribute:"description", value: "The source.jsp page, distributed with Apache Tomcat, discloses information when given a specially crafted query string. This can reveal information such as the web root path and directory listings. A remote attacker exploit this information to mount further attacks." ); script_set_attribute(attribute:"solution", value:"Remove default files from the web server."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/03/31"); script_set_attribute(attribute:"plugin_type", value: "remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2020 David Kyger"); script_family(english:"CGI abuses"); script_dependencies("tomcat_error_version.nasl"); script_require_ports("Services/www", 8080); script_require_keys("installed_sw/Apache Tomcat"); exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80, embedded:TRUE); if(get_port_state(port)) { pat1 = "Directory Listing"; pat2 = "file"; fl[0] = "/examples/jsp/source.jsp??"; fl[1] = "/examples/jsp/source.jsp?/jsp/"; for(i=0;fl[i];i=i+1) { req = http_get(item:fl[i], port:port); buf = http_keepalive_send_recv(port:port, data:req); if ( buf == NULL ) exit(0); if ( pat1 >< buf && pat2 >< buf) { report = " The following information was obtained via a malformed request to the web server : " + buf + " "; security_warning(port:port, extra:report); exit(0); } } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References