Vulnerability Note VU#116963

Apache Tomcat default installation contains sample applications that disclose webroot path

Overview

There is an insecure default configuration in Apache Tomcat web server that places several sample applications in the webroot. Remote users may be able to use these applications to gain sensitive information about the server's configuration.

I. Description

There are several sample applications that ship with Apache Tomcat, and are installed in the webroot by default. If these applications are left in the webroot of a production machine, remote users may be able to gain sensitive information about the server's configuration.

II. Impact

A remote user may be able to gain sensitive information about the server's configuration.

III. Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Remove the sample files prior to placing the server into production.

Systems Affected

Vendor	Status	Date Updated
Apache	Vulnerable	10-Jun-2002

References

http://www.procheckup.com/security_info/vuln_pr0205.html
http://www.procheckup.com/security_info/vuln_pr0206.html
http://www.procheckup.com/security_info/vuln_pr0207.html
http://www.securityfocus.com/bid/4876
http://www.securityfocus.com/bid/4877
http://www.securityfocus.com/bid/4878

Credit

Thanks to ProCheckUp for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

Date Public	05/29/2002
Date First Published	06/11/2002 04:11:34 PM
Date Last Updated	06/11/2002
CERT Advisory
CVE Name
US-CERT Technical Alerts
Metric	3.00
Document Revision	7

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader