Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 201915

Summary: CVE-2006-3835 tomcat directory listing leak (RHAPS)
Product: [Retired] Red Hat Application Server Reporter: Marcel Holtmann <holtmann>
Component: tomcatAssignee: Fernando Nasser <fnasser>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1.2CC: dbhole, rafaels, security-response-team, viveklak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,source=cve,reported=20060724,public=20060721
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-18 20:21:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcel Holtmann 2006-08-09 18:56:35 UTC
ScanAlert Security Advisory:

http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html

Apache Tomcat can be forced to reveal a complete directory listing for any
directory by requesting a mapped file extension prepended with a semicolon, a
reserved character. The file does not need to exist.

Comment 5 Deepak Bhole 2006-08-16 22:03:22 UTC
This is not a security bug (it is a bug, just not a security one..). The
directory list can be aquired with the ";" only if directory listing is allowed.
If directory listing is disabled, tomcat will show a 404 page if a ";" is in
there. Based on what I am seeing, it seems that everything after the ";" gets
cut off, and tomcat only considers the initial part. e.g.

Listing allowed:
http://site.org/ will display contents
http://site.org/;test will display contents

Listing disabled:
http://site.org/ will display 404
http://site.org/;test will display 404

Listing enabled/disabled, but index.[jsp|html|etc.] is in root
http://site.org/ will display the index
http://site.org/;test will display the index

Thus, there is no scenario where a ";" lists directory contents, but directory
contents cannnot otherwise be fetched.

Instructions to disable listing are here:
http://tomcat.apache.org/faq/misc.html#listing



Comment 7 Deepak Bhole 2006-08-18 15:10:08 UTC
Some additional details:

This is a bug (that everything after ";" gets discarded by tomcat), but not a
security issue.

The ";" basically does not allow a user (visiting the site) to do anything they
otherwise cannot do. The crux of the argument on why this was a security issue
is that if someone put a ";" in the path, they got the directory listed.
However, if they had simply put the directory name in the URL, they could've
gotten the directory listed then too. If directory listing is disabled on the
other hand, then there is no way for any user to get the directory list, not
even with a ";"

I tested on tomcat 5.0.28 and tomcat 5.5.12. In both cases, once I disabled
directory listing, I was unable to get the directory contents even with a ";" in
there.

Details on how to disable directory listing are here:
http://tomcat.apache.org/faq/misc.html#listing