Home page logo

bugtraq logo Bugtraq mailing list archives

KPMG-2002024: Apache Tomcat Path Disclosure
From: Peter Gründl <pgrundl () kpmg dk>
Date: Wed, 19 Jun 2002 11:38:38 +0200


Title: Apache Tomcat Path Disclosure

BUG-ID: 2002024
Released: 19th Jun 2002

It is possible to disclose the physical path to the webroot. This
information could be useful to a malicious user wishing to gain
illegal access to resources on the server.

- Apache Tomcat 4.0.3 on Windows 2000 Server

Not Vulnerable:
- Apache Tomcat 4.1.3 beta on Windows 2000 Server

A request for eg. LPT9 results in a java error, which contains
the physical path to the webroot:

"java.io.FileNotFoundException: C:\Program Files\Apache Tomcat
 4.0\webapps\ROOT\lpt9 (The system cannot find the file specified)"

Vendor URL:
You can visit the vendor webpage here: http://jakarta.apache.org

Vendor Response:
This was reported to the vendor on the 23rd of May, 2002. We
never heard back from the vendor. On the 10th of June, 2002, the
issue was confirmed fixed in the latest build.

Corrective action:
Upgrade to V4.1.3 beta, which is available here (URL is wrapped):


Author: Peter Gründl (pgrundl () kpmg dk)

KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.

  By Date           By Thread  

Current thread:
  • KPMG-2002024: Apache Tomcat Path Disclosure Peter Gründl (Jun 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]