Rapid7 Vulnerability & Exploit Database

Apache Tomcat v3.x Example Scripts Information Leakage

Back to Search

Apache Tomcat v3.x Example Scripts Information Leakage

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
12/31/2002
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

The following example scripts that come with Apache Tomcat v3.2.3 and v3.2.4 can be made to disclose their physical paths:

  • /test/jsp/source.jsp
  • /test/jsp/buffer1.jsp
  • /test/jsp/buffer2.jsp
  • /test/jsp/buffer3.jsp
  • /test/jsp/buffer4.jsp
  • /test/jsp/pageinfo.jsp
  • /test/jsp/pageImport2.jsp
  • /test/jsp/comments.jsp
  • /test/jsp/extends1.jsp
  • /test/jsp/extends2.jsp
  • /test/jsp/pageAutoFlush.jsp
  • /test/jsp/pageDouble.jsp
  • /test/jsp/pageExtends.jsp
  • /test/jsp/pageImport2.jsp
  • /test/jsp/pageInfo.jsp
  • /test/jsp/pageInvalid.jsp
  • /test/jsp/pageIsErrorPage.jsp
  • /test/jsp/pageIsThreadSafe.jsp
  • /test/jsp/pageLanguage.jsp
  • /test/jsp/pageSession.jsp
  • /test/jsp/declaration/IntegerOverflow.jsp
  • /test/realpath.jsp

Solution(s)

  • tomcat-3x-delete-example-scripts

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;