发布时间 :2006-07-25 09:22:00
修订时间 :2011-03-07 21:39:34

[原文]Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;

[CNNVD]Apache Tomcat远程目录 'index.jsp'信息泄露漏洞(CNNVD-200607-442)

         Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。
         Apache Tomcat的初始访问配置存在漏洞,远程攻击者可能利用此漏洞获取服务器的目录信息。
         Apache Tomcat的初始配置允许在目录下没有index.jsp之类的欢迎文件时列出目录下的文件列表,远程攻击者可能利用这个问题列出没有配置好的服务器的某些目录下的文件列表,导致敏感信息泄露。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:apache:tomcat:5.0.28Apache Software Foundation Tomcat 5.0.28
cpe:/a:apache:tomcat:5.5.16Apache Software Foundation Tomcat 5.5.16
cpe:/a:apache:tomcat:5.5.7Apache Software Foundation Tomcat 5.5.7
cpe:/a:apache:tomcat:5.5.9Apache Software Foundation Tomcat 5.5.9
cpe:/a:apache:tomcat:5.5.12Apache Software Foundation Tomcat 5.5.12

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  FULLDISC  20060721 Directory Listing in Apache Tomcat 5.x.x
(UNKNOWN)  XF  apache-tomcat-url-information-disclosure(27902)
(UNKNOWN)  VUPEN  ADV-2009-0233
(UNKNOWN)  VUPEN  ADV-2008-1979
(UNKNOWN)  VUPEN  ADV-2007-1727
(UNKNOWN)  BID  19106
(UNKNOWN)  BUGTRAQ  20091107 ToutVirtual VirtualIQ Multiple Vulnerabilities
(UNKNOWN)  BUGTRAQ  20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
(UNKNOWN)  BUGTRAQ  20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
(UNKNOWN)  XF  nokia-tomcat-source-code-disclosure(34183)
(UNKNOWN)  BUGTRAQ  20070509 SEC Consult SA-20070509-0 :: Multiple vulnerabilites in Nokia Intellisync Mobile Suite & Wireless Email Express

- 漏洞信息

Apache Tomcat远程目录 'index.jsp'信息泄露漏洞
中危 输入验证
2006-07-25 00:00:00 2009-02-20 00:00:00
         Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。
         Apache Tomcat的初始访问配置存在漏洞,远程攻击者可能利用此漏洞获取服务器的目录信息。
         Apache Tomcat的初始配置允许在目录下没有index.jsp之类的欢迎文件时列出目录下的文件列表,远程攻击者可能利用这个问题列出没有配置好的服务器的某些目录下的文件列表,导致敏感信息泄露。

- 公告与补丁


- 漏洞信息 (F82649)

ToutVirtual VirtualIQ Pro XSS / XSRF / Execution (PacketStormID:F82649)
2009-11-17 00:00:00
Alberto Trivero,Claudio Criscione
exploit,vulnerability,code execution,xss,csrf

ToutVirtual VirtualIQ Pro version 3.2 build 7882 suffers from cross site scripting, cross site request forgery, directory traversal, and code execution vulnerabilities.

Secure Network - Security Research Advisory

Vuln name: ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
Systems affected: ToutVirtual VirtualIQ Professional 3.2 build 7882
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL:
Author(s): Alberto Trivero ( 
Claudio Criscione (
Vendor disclosure: 02/07/2009
Vendor acknowledged: 16/07/2009
Vendor patch release: notified us on 06/11/2009
Public disclosure: 07/11/2009
Advisory number: SN-2009-02
Advisory URL:

*** SUMMARY ***

ToutVirtual's VirtualIQ Pro is specifically designed for IT administrators 
responsible for managing virtual platforms. VirtualIQ Pro provides
 Visibility, Analytics and policy-based Optimization - all from one single
console. VirtualIQ Pro is hypervisor-agnostic supporting both Type I and Type 
II hypervisors. VirtualIQ Pro can be used to visualize, analyze and 
optimize your choice of virtualization platform - Citrix, Microsoft,
Novell, Oracle and/or VMware.

Multiple vulnerabilities has been found which a allow an attacker to conduct 
various XSS and CSRF attack, and other attacks due to the use 
of an old an not hardened version of the web server.


(a) Cross-site scripting (XSS)

Due to an improper sanitization of user's input, multiple XSS attacks 
(reflective and stored) are possible.
Reflective PoCs:





Stored XSS attacks can be triggered in the "Middle Name" parameter in the 
"Edit Profile" page with an HTTP request like the following:

POST /tvserver/user/ HTTP/1.1
Host: server:9080
Cookies: JSESSIONID=[...]


(b) Cross-site request forgery (CSRF)

An attacker can perform different types of CSRF attacks against a logged user. 
He can, for example, shutdown, start or restart an arbitrary
virtual machine, schedule new activities and so on.

The following HTTP request, if forged by the attacker and executed by the 
victim while logged on VirtualIQ, creates an arbitrary user:

POST /tvserver/user/ HTTP/1.1
Host: server:9080
Cookie: JSESSIONID=[...]


(c) Web server vulnerabilities

VirtualIQ runs on top of an old version of Apache Tomcat: 5.5.9, for which 
multiple public vulnerabilities have been released. As a 
PoC, a directory traversal attack (CVE-2008-2938) 
can be performed as:


Listing of an arbitrary directory (CVE-2006-3835) can also be obtained with 
the following PoC:;index.jsp

(d) Information Leakage

Tomcat status page should be disabled or restricted, being accessible at:


Username and password to access a VM through SSH are also available in clear 
text in the configuration page. 
Since an XSS vulnerability can also be triggered in the same page, an attacker 
would also be able to easily capture the full credentials to access 
the VM with a specially crafted XSS payload.

(e) Remote code execution

JBoss JMX Management Console is exposed and can be used by remote attackers to 
execute arbitrary commands on the system:


JBoss Web Console is exposed as well and can be used by remote attackers to 
execute any command on the system:


*** EXPLOIT ***

Attackers may exploit these issues through a common browser as explained 


Upgrade to the latest version, at the moment 3.5 build 10.14.2009




Secure Network ( is an information security company, 
which provides consulting and training services, and engages in security 
research and development. 

We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.

This advisory is copyright 2009 Secure Network S.r.l. Permission is 
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It 
may not be edited in any way without the express consent of Secure Network 
S.r.l. Permission is explicitly given for insertion in vulnerability 
databases and similars, provided that due credit is given to Secure Network.

The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network 
research staff. There are no warranties with regard to this information. 
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported 
in this advisory, please inform us as soon as possible.

GPG/PGP key:
Phone: +39 02 24 12 67 88

Claudio Criscione

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788 Mob: +39 392 3389178

- 漏洞信息 (F74289)

CA20090123-01.txt (PacketStormID:F74289)
2009-01-27 00:00:00
Ken Williams

Multiple security risks exist in Apache Tomcat as included with CA Cohesion and products that contain CA Cohesion. These include, but are not limited to, arbitrary command execution. Affected products include CA Cohesion Application Configuration Manager 4.5, CA CMDB Application Server 11.1, and Unicenter Service Desk 11.2.

Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities

CA Advisory Reference: CA20090123-01

CA Advisory Date: 2009-01-23

Reported By: n/a

Impact: Refer to the CVE identifiers for details.

Summary: Multiple security risks exist in Apache Tomcat as 
included with CA Cohesion Application Configuration Manager. CA 
has issued an update to address the vulnerabilities. Refer to the 
References section for the full list of resolved issues by CVE 

Mitigating Factors: None

Severity: CA has given these vulnerabilities a Medium risk rating.

Affected Products:
CA Cohesion Application Configuration Manager 4.5

Non-Affected Products
CA Cohesion Application Configuration Manager 4.5 SP1

Affected Platforms:

Status and Recommendation:
CA has issued the following update to address the vulnerabilities.

CA Cohesion Application Configuration Manager 4.5:


How to determine if you are affected:

1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the 
   "C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is 

Workaround: None

References (URLs may wrap):
CA Support:
CA20090123-01: Security Notice for Cohesion Tomcat
Solution Document Reference APARs:
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
Reported By: 
CVE References:
CVE-2007-3385 *
*Note: the issue was not completely fixed by Tomcat maintainers.
OSVDB References: Pending

Changelog for this advisory:
v1.0 - Initial Release
v1.1 - Updated Impact, Summary, Affected Products

Customers who require additional information should contact CA
Technical Support at

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your 
findings to the CA Product Vulnerability Response Team.

Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team

CA, 1 CA Plaza, Islandia, NY 11749
Legal Notice
Privacy Policy
Copyright (c) 2009 CA. All rights reserved.

- 漏洞信息

Apache Tomcat semicolon Crafted Filename Request Forced Directory Listing
Vendor Verified

- 漏洞描述

Apache Tomcat contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker makes a crafted file request containing a semicolon (;) before the file name, which will result in the server displaying the contents of the directory. This may disclose sensitive files, unpublished content or back up files.

- 时间线

2006-07-21 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.1.32, 5.0.HEAD, 5.5.13 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete