Vulnerabilities > CVE-2002-2009 - Unspecified vulnerability in Apache Tomcat 4.0.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apache
nessus
NVD
Published: 2002-12-31
Updated: 2023-11-07

Summary

Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3) </, and (4) %20/, which leaks the pathname in an error message.

Vulnerable Configurations

Part Description Count
Application
Apache
1

Nessus

NASL familyWeb Servers
NASL idTOMCAT_LONG_URL_PATH_DISCLOSE.NASL
descriptionThe remote Apache Tomcat web server is affected by an information disclosure vulnerability. The full install path of Apache Tomcat can be obtained by sending an HTTP request which contains a long URL. Note that there reportedly is an additional install path disclosure vulnerability in this version of Apache Tomcat; however, Nessus has not explicitly tested for it.
last seen2020-06-01
modified2020-06-02
plugin id49701
published2010-10-01
reporterThis script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/49701
titleApache Tomcat Long URL Information Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(49701);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2001-0917", "CVE-2002-2009");
  script_bugtraq_id(4557, 3199);

  script_name(english:"Apache Tomcat Long URL Information Disclosure");
  script_summary(english:"Checks for information disclosure via long URLs.");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Apache Tomcat server is affected by an information
disclosure vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Apache Tomcat web server is affected by an information
disclosure vulnerability. The full install path of Apache Tomcat can
be obtained by sending an HTTP request which contains a long URL.

Note that there reportedly is an additional install path disclosure
vulnerability in this version of Apache Tomcat; however, Nessus has
not explicitly tested for it.");
  script_set_attribute(attribute:"see_also", value:"http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.0.2");
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/bugtraq/2001/Nov/190"
  );
  script_set_attribute(attribute:"solution", value:"Update to Apache Tomcat version 4.0.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2001/11/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2002/02/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tomcat_error_version.nasl");
  script_require_ports("Services/www", 8080);
  script_require_keys("installed_sw/Apache Tomcat");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("webapp_func.inc");
include("misc_func.inc");
include("http.inc");

get_install_count(app_name:"Apache Tomcat", exit_if_zero:TRUE);
port = get_http_port(default:8080);
install = get_single_install(app_name:"Apache Tomcat", port:port);

disclosed_path = NULL;
url  = "/" + crap(250) + ".jsp";

r = http_send_recv3(
  port            : port,
  method          : "GET",
  item            : url,
  fetch404        : TRUE,
  follow_redirect : 1,
  exit_on_fail    : TRUE
);

lines = split(r[2]);

foreach line (lines)
{
  pieces = NULL;
  disclosed_path = NULL;

  # *nix 3.x (output can differ on 3.x)
  if (line =~ "^<h2>Location:.*\.jsp<\/h2>JSP file.* \((File name too long|No such file or directory)\)")
  {
    pieces = pregmatch(pattern: 'JSP file "(\\/.*\\/)webapps\\/ROOT\\/.*\\.jsp \\((No such file|File name too)', string: line);
    if (!pieces)
      continue;
    else
    	disclosed_path = pieces[1];
  }

  # *nix 4.x
  if (line =~ "^<html><head><title>.*\/work\/localhost\/.*jsp\.java \(File name too long\)<\/h1>.*<b>type<\/b> Status Report<\/p>")
  {
    pieces = pregmatch(pattern: "<\/p><p><b>message<\/b> <u>(\/.*\/)work\/localhost\/\_\/.*jsp\.java \(File name too long\)<\/u><\/p><p>", string: line);
    if (!pieces)
      continue;
    else
    	disclosed_path = pieces[1];
  }


  # Windows
  if (line =~ "^<html><head><title>.*\\work\\localhost\\.*jsp\.java \(The Filename, directory name, or ")
  {
    pieces = pregmatch(pattern:"<\/p><p><b>description<\/b> <u>The requested resource \(([A-Z]:\\.*\\)work\\localhost\\\_\\.*jsp\.java \(The filename, directory name", string: line);
    if (!pieces)
      continue;
    else
      disclosed_path = pieces[1];
  }

  if (!isnull(disclosed_path))
    break;
}

if (!isnull(disclosed_path))
{
  if (report_verbosity > 0)
  {
    trailer = 'Disclosed path : ' + data_protection::sanitize_user_paths(report_text:disclosed_path);
    report = get_vuln_report(items:url, port:port, trailer:trailer);
    security_warning(port: port, extra: report);
  }
  else  security_warning(port);
}
else exit(0, "The Tomcat server listening on port " + port + " is not affected.");

References