Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:TOMCAT:URL-ENC-DIRTRAV

Severity

 Medium

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Keywords

 Apache Tomcat allowLinking URIencoding Directory Traversal Vulnerability

Release Date

 2011/12/21

Update Number

 2051

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: Apache Tomcat allowLinking URIencoding Directory Traversal Vulnerability


This signature detects attempts to exploit a known vulnerability against Apache Tomcat.It is due to an input validation error in Tomcat that does not properly sanitize the URI for directory traversal patterns. A successful attack will allow the attacker to gain access to sensitive system files. This may lead to disclosure of sensitive information.

Extended Description

Multiple Java runtime implementations are prone to a vulnerability because the applications fail to sufficiently sanitize user-supplied input. Exploiting this issue in Apache Tomcat will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. Other attacks may also be possible. Exploiting this issue in other applications will depend on the individual application. Successful exploits may result in a bypass of intended security filters. This may have various security impacts. We will update this BID pending further investigation. UPDATE (December, 18, 2008): Reports indicate that this issue may affect additional, unspecified Java Virtual Machine (JVM) implementations distributed by Sun, HP, IBM, Apple, and Apache. We will update this BID as more information becomes available. UPDATE (January 9, 2009): This BID previously documented an issue in Apache Tomcat. Further reports indicate that the underlying issue is in various Java runtime implementations.

Affected Products

  • Apache Software Foundation Harmony 5.0 M7
  • Apache Software Foundation Harmony 5.0 M8
  • Apache Software Foundation Tomcat 4.1.0
  • Apache Software Foundation Tomcat 4.1.10
  • Apache Software Foundation Tomcat 4.1.12
  • Apache Software Foundation Tomcat 4.1.24
  • Apache Software Foundation Tomcat 4.1.28
  • Apache Software Foundation Tomcat 4.1.29
  • Apache Software Foundation Tomcat 4.1.3
  • Apache Software Foundation Tomcat 4.1.30
  • Apache Software Foundation Tomcat 4.1.31
  • Apache Software Foundation Tomcat 4.1.32
  • Apache Software Foundation Tomcat 4.1.34
  • Apache Software Foundation Tomcat 4.1.36
  • Apache Software Foundation Tomcat 4.1.37
  • Apache Software Foundation Tomcat 4.1.3 Beta
  • Apache Software Foundation Tomcat 4.1.9 Beta
  • Apache Software Foundation Tomcat 5.5.0
  • Apache Software Foundation Tomcat 5.5.1
  • Apache Software Foundation Tomcat 5.5.10
  • Apache Software Foundation Tomcat 5.5.11
  • Apache Software Foundation Tomcat 5.5.12
  • Apache Software Foundation Tomcat 5.5.13
  • Apache Software Foundation Tomcat 5.5.14
  • Apache Software Foundation Tomcat 5.5.15
  • Apache Software Foundation Tomcat 5.5.16
  • Apache Software Foundation Tomcat 5.5.17
  • Apache Software Foundation Tomcat 5.5.18
  • Apache Software Foundation Tomcat 5.5.19
  • Apache Software Foundation Tomcat 5.5.2
  • Apache Software Foundation Tomcat 5.5.20
  • Apache Software Foundation Tomcat 5.5.21
  • Apache Software Foundation Tomcat 5.5.22
  • Apache Software Foundation Tomcat 5.5.23
  • Apache Software Foundation Tomcat 5.5.24
  • Apache Software Foundation Tomcat 5.5.25
  • Apache Software Foundation Tomcat 5.5.26
  • Apache Software Foundation Tomcat 5.5.3
  • Apache Software Foundation Tomcat 5.5.4
  • Apache Software Foundation Tomcat 5.5.5
  • Apache Software Foundation Tomcat 5.5.6
  • Apache Software Foundation Tomcat 5.5.7
  • Apache Software Foundation Tomcat 5.5.8
  • Apache Software Foundation Tomcat 5.5.9
  • Apache Software Foundation Tomcat 6.0.0
  • Apache Software Foundation Tomcat 6.0.1
  • Apache Software Foundation Tomcat 6.0.10
  • Apache Software Foundation Tomcat 6.0.11
  • Apache Software Foundation Tomcat 6.0.12
  • Apache Software Foundation Tomcat 6.0.13
  • Apache Software Foundation Tomcat 6.0.14
  • Apache Software Foundation Tomcat 6.0.15
  • Apache Software Foundation Tomcat 6.0.16
  • Apache Software Foundation Tomcat 6.0.2
  • Apache Software Foundation Tomcat 6.0.3
  • Apache Software Foundation Tomcat 6.0.4
  • Apache Software Foundation Tomcat 6.0.5
  • Apache Software Foundation Tomcat 6.0.6
  • Apache Software Foundation Tomcat 6.0.7
  • Apache Software Foundation Tomcat 6.0.8
  • Apache Software Foundation Tomcat 6.0.9
  • Apple Mac OS X Server 10.5.5
  • Avaya Aura Application Enablement Services 3.0
  • Avaya Aura Application Enablement Services 3.1
  • Avaya Aura Application Enablement Services 3.1.3
  • Avaya Aura Application Enablement Services 3.1.4
  • Avaya Aura Application Enablement Services 3.1.5
  • Avaya Aura Application Enablement Services 3.1.6
  • Avaya Aura Application Enablement Services 4.0
  • Avaya Aura Application Enablement Services 4.0.1
  • Avaya Aura Application Enablement Services 4.1
  • Avaya Aura Application Enablement Services 4.2
  • Avaya Aura Application Enablement Services 4.2.1
  • Avaya Meeting Exchange 5.0
  • Avaya Meeting Exchange 5.0.0.0.52
  • Avaya Meeting Exchange - Enterprise Edition
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 6.0
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0.1
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0.0
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0.2
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 9.0.0
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 9.0.0A
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 9.1.0
  • Fujitsu INTERSTAGE Application Server Enterprise Edition 9.1.0B
  • Fujitsu Interstage Application Server Plus 6.0
  • Fujitsu Interstage Application Server Plus 7.0
  • Fujitsu Interstage Application Server Plus 7.0.1
  • Fujitsu INTERSTAGE Application Server Plus Developer 6.0
  • Fujitsu INTERSTAGE Application Server Plus Developer 7.0
  • Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0.0
  • Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0.2
  • Fujitsu INTERSTAGE Application Server Standard-J Edition 9.0.0
  • Fujitsu INTERSTAGE Application Server Standard-J Edition 9.0.0A
  • Fujitsu INTERSTAGE Application Server Standard-J Edition 9.1.0
  • Fujitsu INTERSTAGE Application Server Standard-J Edition 9.1.0B
  • Fujitsu INTERSTAGE Apworks Modelers-J Edition 6.0
  • Fujitsu INTERSTAGE Apworks Modelers-J Edition 6.0A
  • Fujitsu INTERSTAGE Apworks Modelers-J Edition 7.0
  • Fujitsu INTERSTAGE Business Application Server Enterprise 8.0.0
  • Fujitsu INTERSTAGE Job Workload Server 8.1.0
  • Fujitsu INTERSTAGE Studio Enterprise Edition 8.0.1
  • Fujitsu INTERSTAGE Studio Enterprise Edition 9.0.0
  • Fujitsu INTERSTAGE Studio Enterprise Edition 9.1.0
  • Fujitsu INTERSTAGE Studio Enterprise Edition 9.1.0 B
  • Fujitsu INTERSTAGE Studio Standard-J Edition 8.0.1
  • Fujitsu INTERSTAGE Studio Standard-J Edition 9.0.0
  • Fujitsu INTERSTAGE Studio Standard-J Edition 9.1.0
  • Fujitsu INTERSTAGE Studio Standard-J Edition 9.1.0 B
  • HP HP-UX B.11.11
  • HP HP-UX B.11.23
  • HP HP-UX B.11.31
  • Mandriva Linux Mandrake 2008.0
  • Mandriva Linux Mandrake 2008.0 X86 64
  • Mandriva Linux Mandrake 2008.1
  • Mandriva Linux Mandrake 2008.1 X86 64
  • Novell ZENworks Linux Management 7.3
  • OpenJDK java 1.6.0
  • Oracle Oracle10g Application Server 10.1.3 .1.0
  • Red Hat Application Server AS4 2
  • Red Hat Application Server ES4 2
  • Red Hat Application Server WS4 2
  • Red Hat Developer Suite AS4 3
  • Red Hat Enterprise Linux 5 Server
  • Red Hat Enterprise Linux Desktop 5 Client
  • Red Hat Enterprise Linux Desktop Workstation 5 Client
  • Red Hat Fedora 8
  • Red Hat Fedora 9
  • Red Hat JBoss Enterprise Application Platform 4.2.0
  • Red Hat JBoss Enterprise Application Platform 4.2.0.CP03
  • Red Hat JBoss Enterprise Application Platform 4.2.0 EL4
  • Red Hat JBoss Enterprise Application Platform 4.2.0 EL5
  • Red Hat Red Hat Network Satellite (for RHEL 4) 5.1
  • Red Hat Red Hat Network Satellite Server 5.0.0
  • Red Hat Red Hat Network Satellite Server 5.0.1
  • Sun JRE (Linux Production Release) 1.4.2
  • Sun JRE (Linux Production Release) 1.4.2 01
  • Sun JRE (Linux Production Release) 1.4.2 02
  • Sun JRE (Linux Production Release) 1.4.2 03
  • Sun JRE (Linux Production Release) 1.4.2 04
  • Sun JRE (Linux Production Release) 1.4.2 05
  • Sun JRE (Linux Production Release) 1.4.2 06
  • Sun JRE (Linux Production Release) 1.4.2 07
  • Sun JRE (Linux Production Release) 1.4.2 08
  • Sun JRE (Linux Production Release) 1.4.2 09
  • Sun JRE (Linux Production Release) 1.4.2 10
  • Sun JRE (Linux Production Release) 1.4.2 10-B03
  • Sun JRE (Linux Production Release) 1.4.2 11
  • Sun JRE (Linux Production Release) 1.4.2 12
  • Sun JRE (Linux Production Release) 1.4.2 13
  • Sun JRE (Linux Production Release) 1.4.2 14
  • Sun JRE (Linux Production Release) 1.4.2 15
  • Sun JRE (Linux Production Release) 1.4.2 16
  • Sun JRE (Linux Production Release) 1.4.2 17
  • Sun JRE (Linux Production Release) 1.4.2 18
  • Sun JRE (Linux Production Release) 1.5.0
  • Sun JRE (Linux Production Release) 1.5.0 01
  • Sun JRE (Linux Production Release) 1.5.0 02
  • Sun JRE (Linux Production Release) 1.5.0 03
  • Sun JRE (Linux Production Release) 1.5.0 04
  • Sun JRE (Linux Production Release) 1.5.0 05
  • Sun JRE (Linux Production Release) 1.5.0 06
  • Sun JRE (Linux Production Release) 1.5.0 07
  • Sun JRE (Linux Production Release) 1.5.0 08
  • Sun JRE (Linux Production Release) 1.5.0 09
  • Sun JRE (Linux Production Release) 1.5.0 .0 Beta
  • Sun JRE (Linux Production Release) 1.5.0 10
  • Sun JRE (Linux Production Release) 1.5.0 11
  • Sun JRE (Linux Production Release) 1.5.0 12
  • Sun JRE (Linux Production Release) 1.5.0 13
  • Sun JRE (Linux Production Release) 1.5.0 14
  • Sun JRE (Linux Production Release) 1.6.0 01
  • Sun JRE (Linux Production Release) 1.6.0 02
  • Sun JRE (Linux Production Release) 1.6.0 03
  • Sun JRE (Solaris Production Release) 1.4.2
  • Sun JRE (Solaris Production Release) 1.4.2 01
  • Sun JRE (Solaris Production Release) 1.4.2 02
  • Sun JRE (Solaris Production Release) 1.4.2 03
  • Sun JRE (Solaris Production Release) 1.4.2 04
  • Sun JRE (Solaris Production Release) 1.4.2 05
  • Sun JRE (Solaris Production Release) 1.4.2 06
  • Sun JRE (Solaris Production Release) 1.4.2 07
  • Sun JRE (Solaris Production Release) 1.4.2 08
  • Sun JRE (Solaris Production Release) 1.4.2 09
  • Sun JRE (Solaris Production Release) 1.4.2 10
  • Sun JRE (Solaris Production Release) 1.4.2 11
  • Sun JRE (Solaris Production Release) 1.4.2 12
  • Sun JRE (Solaris Production Release) 1.4.2 13
  • Sun JRE (Solaris Production Release) 1.4.2 14
  • Sun JRE (Solaris Production Release) 1.4.2 15
  • Sun JRE (Solaris Production Release) 1.4.2 16
  • Sun JRE (Solaris Production Release) 1.4.2 17
  • Sun JRE (Solaris Production Release) 1.4.2 18
  • Sun JRE (Solaris Production Release) 1.5.0
  • Sun JRE (Solaris Production Release) 1.5.0.0 07
  • Sun JRE (Solaris Production Release) 1.5.0.0 08
  • Sun JRE (Solaris Production Release) 1.5.0.0 09
  • Sun JRE (Solaris Production Release) 1.5.0 01
  • Sun JRE (Solaris Production Release) 1.5.0 02
  • Sun JRE (Solaris Production Release) 1.5.0 03
  • Sun JRE (Solaris Production Release) 1.5.0 04
  • Sun JRE (Solaris Production Release) 1.5.0 05
  • Sun JRE (Solaris Production Release) 1.5.0 06
  • Sun JRE (Solaris Production Release) 1.5.0 10
  • Sun JRE (Solaris Production Release) 1.5.0 11
  • Sun JRE (Solaris Production Release) 1.5.0 12
  • Sun JRE (Solaris Production Release) 1.5.0 13
  • Sun JRE (Solaris Production Release) 1.5.0 14
  • Sun JRE (Solaris Production Release) 1.6.0 01
  • Sun JRE (Solaris Production Release) 1.6.0 02
  • Sun JRE (Solaris Production Release) 1.6.0 03
  • Sun JRE (Solaris Production Release) 1.6.0 2
  • Sun JRE (Windows Production Release) 1.4.2
  • Sun JRE (Windows Production Release) 1.4.2 01
  • Sun JRE (Windows Production Release) 1.4.2 02
  • Sun JRE (Windows Production Release) 1.4.2 03
  • Sun JRE (Windows Production Release) 1.4.2 04
  • Sun JRE (Windows Production Release) 1.4.2 05
  • Sun JRE (Windows Production Release) 1.4.2 06
  • Sun JRE (Windows Production Release) 1.4.2 07
  • Sun JRE (Windows Production Release) 1.4.2 08
  • Sun JRE (Windows Production Release) 1.4.2 09
  • Sun JRE (Windows Production Release) 1.4.2 10
  • Sun JRE (Windows Production Release) 1.4.2 11
  • Sun JRE (Windows Production Release) 1.4.2 12
  • Sun JRE (Windows Production Release) 1.4.2 13
  • Sun JRE (Windows Production Release) 1.4.2 14
  • Sun JRE (Windows Production Release) 1.4.2 15
  • Sun JRE (Windows Production Release) 1.4.2 16
  • Sun JRE (Windows Production Release) 1.4.2 17
  • Sun JRE (Windows Production Release) 1.4.2 18
  • Sun JRE (Windows Production Release) 1.5.0
  • Sun JRE (Windows Production Release) 1.5.0.0 07
  • Sun JRE (Windows Production Release) 1.5.0.0 08
  • Sun JRE (Windows Production Release) 1.5.0.0 09
  • Sun JRE (Windows Production Release) 1.5.0 01
  • Sun JRE (Windows Production Release) 1.5.0 02
  • Sun JRE (Windows Production Release) 1.5.0 03
  • Sun JRE (Windows Production Release) 1.5.0 04
  • Sun JRE (Windows Production Release) 1.5.0 05
  • Sun JRE (Windows Production Release) 1.5.0 06
  • Sun JRE (Windows Production Release) 1.5.0 10
  • Sun JRE (Windows Production Release) 1.5.0 11
  • Sun JRE (Windows Production Release) 1.5.0 12
  • Sun JRE (Windows Production Release) 1.5.0 13
  • Sun JRE (Windows Production Release) 1.5.0 14
  • Sun JRE (Windows Production Release) 1.6.0 01
  • Sun JRE (Windows Production Release) 1.6.0 02
  • Sun JRE (Windows Production Release) 1.6.0 03
  • Sun JRE (Windows Production Release) 1.6.0 2
  • SuSE openSUSE 10.2
  • SuSE openSUSE 10.3
  • SuSE openSUSE 11.0
  • SuSE SUSE Linux Enterprise Server 10 SP2
  • WiKID Systems WiKID Server 3.0.4

References

  • BugTraq: 30633
  • CVE: CVE-2008-2938

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out