Signature Detail
Short Name |
HTTP:TOMCAT:JSP-AS-HTML |
|---|---|
Severity |
Medium |
Recommended |
No |
Category |
HTTP |
Keywords |
Apache Tomcat .jsp Interpreted as HTML Source Disclosure |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Apache Tomcat .jsp Interpreted as HTML Source Disclosure
This signature detects attempts to exploit a known vulnerability in Apache Tomcat. Apache Tomcat 3.3.1 and earlier are vulnerable. Attackers can send a maliciously crafted URL to cause the server to parse a .jsp file as HTML code and display the JSP code, allowing attackers to retrieve normally unaccessable files.
Extended Description
Apache Tomcat is prone to a directory/file disclosure vulnerability when used with JDK 1.3.1 or earlier. It has been reported that remote attackers may view directory contents (even when an 'index.html' or other welcome file). It is also possible for remote attackers to disclose the contents of files. This vulnerability is due to improper handling of null bytes (%00) and backslash ('\') characters in requests for web resources.
Affected Products
- Apache Software Foundation Tomcat 3.0.0
- Apache Software Foundation Tomcat 3.1.0
- Apache Software Foundation Tomcat 3.1.1
- Apache Software Foundation Tomcat 3.2.0
- Apache Software Foundation Tomcat 3.2.1
- Apache Software Foundation Tomcat 3.2.3
- Apache Software Foundation Tomcat 3.2.4
- Apache Software Foundation Tomcat 3.3.0
- Apache Software Foundation Tomcat 3.3.1
References
- BugTraq: 6721
- CVE: CVE-2003-0042
- URL: http://archives.neohapsis.com/archives/bugtraq/2003-01/0360.html