xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Apache Tomcat DefaultServlet存在文件泄露漏洞


发布时间:2002-09-27
更新时间:2002-09-27
严重程度:
威胁程度:口令恢复
错误类型:设计错误
利用方式:服务器模式

BUGTRAQ ID:5786

受影响系统
Apache Software Foundation Tomcat 3.0
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 3.1
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 3.1.1
Apache Software Foundation Tomcat 3.2
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 3.2.1
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - HP Secure OS software for Linux 1.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 3.2.2 beta2
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 3.2.3
Apache Software Foundation Tomcat 3.2.4
Apache Software Foundation Tomcat 3.3
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 3.3.1
Apache Software Foundation Tomcat 4.0
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 4.0.1
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 3.3
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 4.0.2
Apache Software Foundation Tomcat 4.0.3
Apache Software Foundation Tomcat 4.0.4
Apache Software Foundation Tomcat 4.1
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Debian Linux 2.3
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.5
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 3.3
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 4.1.3 beta
Apache Software Foundation Tomcat 4.1.9 beta
Apache Software Foundation Tomcat 4.1.10
详细描述
Apache Tomcat默认包含"org.apache.catalina.servlets.DefaultServlet" Servlet程序。

利用上面这个servlet可查看WEBROOT中的任意文件,导致获得JSP源代码,泄露数据库用户名和密码。

测试代码
如原来http://target/admin/target.jsp的页面可使用如下请求获得源代码:

http://target/admin/servlet/org.apache.catalina.servlets.DefaultServlet/target.jsp

解决方案
如果apache或者其他HTTP服务器使用前端方式,过滤*/servlet/org.apache.catalina.servlets.DefaultServlet* 请求。如果以mod_jk/jk2方式运作,过滤不需要的URLS/servlet访问。

或者在web.xml增加如下代码:

<security-constraint>
  <display-name>Default Servlet</display-name>
  <!-- Disable direct alls on the Default Servlet</web-resource-name -->
  <web-resource-collection>
    <web-resource-name>Disallowed Location</web-resource-name>
  
<url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-pat
tern>
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name></role-name>
  </auth-constraint>
</security-constraint>

升级程序:

Apache Software Foundation Tomcat 3.0:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.1:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.1.1:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.2:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.2.1:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.2.2 beta2:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.2.3:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.2.4:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.3:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 3.3.1:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 4.0:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 4.0.1:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 4.0.2:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 4.0.3:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 4.0.4:

Apache Software Foundation Upgrade Jakarta Tomcat 4.0.5
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Apache Software Foundation Tomcat 4.1:

Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Apache Software Foundation Tomcat 4.1.3 beta:

Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Apache Software Foundation Tomcat 4.1.9 beta:

Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Apache Software Foundation Tomcat 4.1.10:

Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

相关信息
Rossen Raykov <Rossen.Raykov@CognicaseUSA.com>.
参考:http://online.securityfocus.com/advisories/4503
http://online.securityfocus.com/archive/1/292936
http://online.securityfocus.com/archive/1/293050
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved