Vulnerabilities > CVE-2003-0042 - Unspecified vulnerability in Apache Tomcat

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-246. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(15083);
  script_version("1.24");
  script_cvs_date("Date: 2019/08/02 13:32:17");

  script_cve_id("CVE-2003-0042", "CVE-2003-0043", "CVE-2003-0044");
  script_xref(name:"DSA", value:"246");

  script_name(english:"Debian DSA-246-1 : tomcat - information exposure, XSS");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The developers of tomcat discovered several problems in tomcat version
3.x. The Common Vulnerabilities and Exposures project identifies the
following problems :

  - CAN-2003-0042: A maliciously crafted request could
    return a directory listing even when an index.html,
    index.jsp, or other welcome file is present. File
    contents can be returned as well.
  - CAN-2003-0043: A malicious web application could read
    the contents of some files outside the web application
    via its web.xml file in spite of the presence of a
    security manager. The content of files that can be read
    as part of an XML document would be accessible.

  - CAN-2003-0044: A cross-site scripting vulnerability was
    discovered in the included sample web application that
    allows remote attackers to execute arbitrary script
    code."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2003/dsa-246"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the tomcat package.

For the stable distribution (woody) this problem has been fixed in
version 3.3a-4woody.1.


The old stable distribution (potato) does not contain tomcat packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2003/01/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/25");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"libapache-mod-jk", reference:"3.3a-4woody1")) flag++;
if (deb_check(release:"3.0", prefix:"tomcat", reference:"3.3a-4woody1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# written by Bekrar Chaouki - A.D.Consulting <[email protected]>
#
# Apache Tomcat Directory listing and file disclosure Vulnerabilities
#

# Changes by Tenable:
# - Revised plugin title (12/28/10)
# - Added banner check to prevent potential false positives against non-Tomcat
#   servers. (6/11/2015)

include("compat.inc");

if(description)
{
 script_id(11438);
 script_version ("1.31");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
 
 script_cve_id("CVE-2003-0042", "CVE-2003-0043");
 script_bugtraq_id(6721, 6722);
 
 script_name(english:"Apache Tomcat Directory Listing and File Disclosure");
 script_summary(english:"Apache Tomcat Directory listing and File Disclosure Bugs");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an information disclosure
vulnerability.");
 script_set_attribute(attribute:"description", value:
"Apache Tomcat (prior to 3.3.1a) is affected by a directory listing and
file disclosure vulnerability.

By requesting URLs containing a null character, remote attackers can
list directories even when an index.html or other file is present or
obtain unprocessed source code for a JSP file.

Also note that, when deployed with JDK 1.3.1 or earlier, Tomcat allows
files outside of the application directory to be accessed because
'web.xml' files are read with trusted privileges.");
 script_set_attribute(attribute:"solution", value:"Upgrade to Apache Tomcat version 4.1.18 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/22");
 script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/25");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/03/18");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2020 A.D.Consulting");
 script_family(english:"CGI abuses");

 script_dependencies("tomcat_error_version.nasl");
 script_require_ports("Services/www", 8080);
 script_require_keys("installed_sw/Apache Tomcat");

 exit(0);
}

#
# Start
#

include("http_func.inc");
include("http_keepalive.inc");
include("global_settings.inc");

port = get_http_port(default:8080, embedded:TRUE);

if(!get_port_state(port))
 exit(0, "Port " + port + " is not open.");

# Unless we're paranoid, make sure the banner looks like Tomcat.
if (report_paranoia < 2)
{
  banner = get_http_banner(port:port);
  if(banner && "Tomcat" >!< banner && "Coyote" >!< banner) exit(0, "The web server banner on port " + port + " is not Tomcat.");
}

res = http_get_cache_ka(item:"/", port:port);
if( res == NULL ) exit(0, "The Tomcat install listening on port " + port + " is not affected.");

if(("Index of /" >< res)||("Directory Listing" >< res))
  exit(0, "The Tomcat install listening on port " + port + " is not affected.");

req = str_replace(string:http_get(item:"/<REPLACEME>.jsp", port:port),
	          find:"<REPLACEME>",
		  replace:raw_string(0));

res = http_keepalive_send_recv(port:port, data:req);

if ( res == NULL )
  exit(0, "The Tomcat install listening on port " + port + " is not affected.");

if(("Index of /" >< res)||("Directory Listing" >< res))
 security_warning(port:port, extra:'By sending a malformed request, we could obtain the following listing:\n' + res);
else
  exit(0, "The Tomcat install listening on port " + port + " is not affected.");