| GEN:SID | 1:2061 |
| Message | WEB-MISC Tomcat null byte directory listing attempt |
| Summary | Jakarta Tomcat webserver.
|
| Impact | Information disclosure
|
| Detailed Information | A vulnerability exists in Jakarta Tomcat webservers prior to version 3.3.1a such that a request containing a null byte will result in a directory listing or present the opportunity to view the source of a java servlet on the server.
This occurs wether or not an index file is present in the directory.
|
| Affected Systems | Jakarta Tomcat web application server prior to version 3.3.1a
|
| Attack Scenarios | The attacker needs to supply a null byte in a URI request to the server.
|
| Ease of Attack | Simple
|
| Corrective Action | Upgrade the server to the latest non-affected version.
|
| Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0042
Apache Jakarta Tomcat: http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/
|
| Rule References | bugtraq: 2518
bugtraq: 6721
cve: 2003-0042
|