xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Apache Tomcat Invoker Servlet文件泄露漏洞


发布时间:2003-01-10
更新时间:2003-01-10
严重程度:
威胁程度:服务器信息泄露
错误类型:设计错误
利用方式:服务器模式

BUGTRAQ ID:6562
CVE(CAN) ID:CAN-2002-1394

受影响系统
Apache Software Foundation Tomcat 4.0
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 4.0.1
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.0
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 3.3
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 4.0.2
Apache Software Foundation Tomcat 4.0.3
Apache Software Foundation Tomcat 4.0.4
Apache Software Foundation Tomcat 4.0.5
Apache Software Foundation Tomcat 4.1
   - BSDI BSD/OS 4.0
   - Caldera OpenLinux 2.4
   - Conectiva Linux 5.1
   - Debian Linux 2.1
   - Debian Linux 2.2
   - Debian Linux 2.3
   - Digital UNIX 4.0
   - FreeBSD FreeBSD 4.5
   - FreeBSD FreeBSD 5.0
   - MandrakeSoft Linux Mandrake 7.0
   - MandrakeSoft Linux Mandrake 7.1
   - NetBSD NetBSD 1.4.1 x86
   - NetBSD NetBSD 1.4.2 x86
   - RedHat Linux 6.1 i386
   - RedHat Linux 6.2 i386
   - SGI IRIX 3.3
   - SGI IRIX 6.4
   - SGI IRIX 6.5
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Tomcat 4.1.3 beta
Apache Software Foundation Tomcat 4.1.9 beta
Apache Software Foundation Tomcat 4.1.10
详细描述
Apache Tomcat服务程序存在信息泄露漏洞。

攻击者使用特殊构建URL会使服务器返回没有处理的JSP页内容,或在特定环境下,会返回保护的静态资源数据。造成信息泄露。

测试代码
尚无

解决方案
在$CATALINA_HOME/conf/web.xml配置文件中删除如下行:

<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>

补丁下载:

Apache Software Foundation Tomcat 4.0:

Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip

Apache Software Foundation Tomcat 4.0.1:

Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip

Apache Software Foundation Tomcat 4.0.2:

Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip

Apache Software Foundation Tomcat 4.0.3:

Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip

Debian Upgrade tomcat4_4.0.3-3woody2_all.deb
http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2_all.deb

Debian Upgrade tomcat4-webapps_4.0.3-3woody2_all.deb
http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody2_all.deb

Debian Upgrade libtomcat4-java_4.0.3-3woody2_all.deb
http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody2_all.deb

Apache Software Foundation Tomcat 4.0.4:

Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip

Apache Software Foundation Tomcat 4.0.5:

Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip

Apache Software Foundation Tomcat 4.1:

Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Apache Software Foundation Tomcat 4.1.3 beta:

Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Apache Software Foundation Tomcat 4.1.9 beta:

Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Apache Software Foundation Tomcat 4.1.10:

Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

相关信息
参考:http://online.securityfocus.com/advisories/4853
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved