Vulnerabilities > CVE-2002-2007 - Information Disclosure vulnerability in Apache Tomcat 3.2.3/3.2.4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The default installations of Apache Tomcat 3.2.3 and 3.2.4 allows remote attackers to obtain sensitive system information such as directory listings and web root path, via erroneous HTTP requests for Java Server Pages (JSP) in the (1) test/jsp, (2) samples/jsp and (3) examples/jsp directories, or the (4) test/realPath.jsp servlet, which leaks pathnames in error messages.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Exploit-Db
description Apache Tomcat 3.2.3/3.2.4 RealPath.JSP Malformed Request Information Disclosure. CVE-2002-2007. Remote exploits for multiple platform id EDB-ID:21492 last seen 2016-02-02 modified 2002-05-29 published 2002-05-29 reporter Richard Brain source https://www.exploit-db.com/download/21492/ title Apache Tomcat 3.2.3/3.2.4 - RealPath.JSP Malformed Request Information Disclosure description Apache Tomcat 3.2.3/3.2.4 Example Files Web Root Path Disclosure. CVE-2002-2007. Remote exploits for multiple platform id EDB-ID:21491 last seen 2016-02-02 modified 2002-05-29 published 2002-05-29 reporter Richard Brain source https://www.exploit-db.com/download/21491/ title Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Path Disclosure description Apache Tomcat 3.2.3/3.2.4 Source.JSP Malformed Request Information Disclosure. CVE-2002-2007. Remote exploits for multiple platform id EDB-ID:21490 last seen 2016-02-02 modified 2002-05-29 published 2002-05-29 reporter Richard Brain source https://www.exploit-db.com/download/21490/ title Apache Tomcat 3.2.3/3.2.4 - Source.JSP Malformed Request Information Disclosure
Nessus
NASL family Web Servers NASL id TOMCAT_EXAMPLES_WEBROOT_DISCLOSURE.NASL description The instance of Apache Tomcat listening on the remote host is affected by an information disclosure vulnerability. An attacker is able to determine the Tomcat application last seen 2020-06-01 modified 2020-06-02 plugin id 50688 published 2010-11-23 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50688 title Apache Tomcat Examples Web Root Path Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50688); script_version("1.12"); script_cvs_date("Date: 2018/08/01 17:36:15"); script_cve_id("CVE-2002-2007"); script_bugtraq_id(4877, 4878); script_name(english:"Apache Tomcat Examples Web Root Path Disclosure"); script_summary(english:"Checks Apache Tomcat Information Disclosure."); script_set_attribute( attribute:"synopsis", value: "The remote Apache Tomcat server is affected by an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The instance of Apache Tomcat listening on the remote host is affected by an information disclosure vulnerability. An attacker is able to determine the Tomcat application's web root path by requesting any one of numerous example files." ); script_set_attribute(attribute:"see_also", value:"http://tomcat.apache.org/security-3.html#Fixed_in_Apache_Tomcat_3.3a"); script_set_attribute(attribute:"solution", value:"Upgrade to 3.3a or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/05/29"); script_set_attribute(attribute:"patch_publication_date", value:"2002/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("tomcat_error_version.nasl"); script_require_ports("Services/www", 8080); script_require_keys("installed_sw/Apache Tomcat"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("webapp_func.inc"); include("http.inc"); get_install_count(app_name:"Apache Tomcat", exit_if_zero:TRUE); port = get_http_port(default:8080); install = get_single_install(app_name:"Apache Tomcat", port:port); vuln_urls = make_list(); test_urls = make_list( 'test/jsp/pageInfo.jsp', 'test/jsp/pageImport2.jsp', 'test/jsp/buffer1.jsp', 'test/jsp/buffer2.jsp', 'test/jsp/buffer3.jsp', 'test/jsp/buffer4.jsp', 'test/jsp/comments.jsp', 'test/jsp/extends1.jsp', 'test/jsp/extends2.jsp', 'test/jsp/pageAutoFlush.jsp', 'test/jsp/pageDouble.jsp', 'test/jsp/pageExtends.jsp', 'test/jsp/pageImport2.jsp', 'test/jsp/pageInfo.jsp', 'test/jsp/pageInvalid.jsp', 'test/jsp/pageIsErrorPage.jsp', 'test/jsp/pageIsThreadSafe.jsp', 'test/jsp/pageLanguage.jsp', 'test/jsp/pageSession.jsp', 'test/jsp/declaration/IntegerOverflow.jsp', 'test/realPath.jsp' ); vuln_pat1 = "(\n|The real path is )([A-Z]:\\.*|\/.*)([\/\\]work[\/\\]localhost_8080|[\/\\]webapps[\/\\]test[\/\\]test[\/\\]realPath.jsp)"; vuln_pat2 = "(\n)<h2>Location:.*</h2><b>Internal Servlet Error:</b><br><pre>org\.apache\.jasper\.compiler\.CompileException: ([A-Z]:\\.*|\/.*)webapps[\/\\]test[\/\\].*\.jsp\([0-9],[0-9]\)"; foreach url (test_urls) { r = http_send_recv3( port : port, method : 'GET', item : '/'+url, fetch404 : TRUE, exit_on_fail : TRUE ); matches = eregmatch(pattern:vuln_pat1, string:r[2]); if (!matches) matches = eregmatch(pattern:vuln_pat2, string:r[2]); if (!isnull(matches[2])) { vuln_urls = make_list(vuln_urls, url); web_root = matches[2]; } if (!thorough_tests) break; } if (max_index(vuln_urls) > 0) { if (report_verbosity > 0) { header = "Nessus was able to obtain the remote Tomcat web root path : " + '\n\n' + web_root + '\n\n' + 'The install path was obtained using the following URL'; report = get_vuln_report(port:port, items:vuln_urls, header:header); security_warning(port:port, extra:report); } else security_warning(port); } else exit(0, "The Tomcat server listening on port " + port + " is not affected.");
NASL family CGI abuses NASL id TOMCAT_SRCJSP_MALFORMED_REQUEST.NASL description The source.jsp page, distributed with Apache Tomcat, discloses information when given a specially crafted query string. This can reveal information such as the web root path and directory listings. A remote attacker exploit this information to mount further attacks. last seen 2020-06-01 modified 2020-06-02 plugin id 12123 published 2004-03-31 reporter This script is Copyright (C) 2004-2019 David Kyger source https://www.tenable.com/plugins/nessus/12123 title Apache Tomcat source.jsp Arbitrary Directory Listing code # # This script was written by David Kyger <[email protected]> # # See the Nessus Scripts License for details # include("compat.inc"); if (description) { script_id(12123); script_version("1.19"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2002-2007"); script_bugtraq_id(4876); script_xref(name:"CERT", value:"116963"); script_name(english:"Apache Tomcat source.jsp Arbitrary Directory Listing"); script_summary(english:"Checks for the Tomcat source.jsp malformed request vulnerability."); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an information disclosure vulnerability."); script_set_attribute( attribute:"description", value: "The source.jsp page, distributed with Apache Tomcat, discloses information when given a specially crafted query string. This can reveal information such as the web root path and directory listings. A remote attacker exploit this information to mount further attacks." ); script_set_attribute(attribute:"solution", value:"Remove default files from the web server."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/03/31"); script_set_attribute(attribute:"plugin_type", value: "remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2020 David Kyger"); script_family(english:"CGI abuses"); script_dependencies("tomcat_error_version.nasl"); script_require_ports("Services/www", 8080); script_require_keys("installed_sw/Apache Tomcat"); exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80, embedded:TRUE); if(get_port_state(port)) { pat1 = "Directory Listing"; pat2 = "file"; fl[0] = "/examples/jsp/source.jsp??"; fl[1] = "/examples/jsp/source.jsp?/jsp/"; for(i=0;fl[i];i=i+1) { req = http_get(item:fl[i], port:port); buf = http_keepalive_send_recv(port:port, data:req); if ( buf == NULL ) exit(0); if ( pat1 >< buf && pat2 >< buf) { report = " The following information was obtained via a malformed request to the web server : " + buf + " "; security_warning(port:port, extra:report); exit(0); } } }
References
- http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00272.html
- http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00275.html
- http://www.iss.net/security_center/static/9208.php
- http://www.kb.cert.org/vuls/id/116963
- http://www.procheckup.com/security_info/vuln_pr0205.html
- http://www.procheckup.com/security_info/vuln_pr0206.html
- http://www.procheckup.com/security_info/vuln_pr0207.html
- http://www.securityfocus.com/bid/4876
- http://www.securityfocus.com/bid/4877
- http://www.securityfocus.com/bid/4878