Red Hat Bugzilla – Bug 201915
CVE-2006-3835 tomcat directory listing leak (RHAPS)
Last modified: 2007-04-18 13:47:08 EDT
ScanAlert Security Advisory:
Apache Tomcat can be forced to reveal a complete directory listing for any
directory by requesting a mapped file extension prepended with a semicolon, a
reserved character. The file does not need to exist.
This is not a security bug (it is a bug, just not a security one..). The
directory list can be aquired with the ";" only if directory listing is allowed.
If directory listing is disabled, tomcat will show a 404 page if a ";" is in
there. Based on what I am seeing, it seems that everything after the ";" gets
cut off, and tomcat only considers the initial part. e.g.
http://site.org/ will display contents
http://site.org/;test will display contents
http://site.org/ will display 404
http://site.org/;test will display 404
Listing enabled/disabled, but index.[jsp|html|etc.] is in root
http://site.org/ will display the index
http://site.org/;test will display the index
Thus, there is no scenario where a ";" lists directory contents, but directory
contents cannnot otherwise be fetched.
Instructions to disable listing are here:
Some additional details:
This is a bug (that everything after ";" gets discarded by tomcat), but not a
The ";" basically does not allow a user (visiting the site) to do anything they
otherwise cannot do. The crux of the argument on why this was a security issue
is that if someone put a ";" in the path, they got the directory listed.
However, if they had simply put the directory name in the URL, they could've
gotten the directory listed then too. If directory listing is disabled on the
other hand, then there is no way for any user to get the directory list, not
even with a ";"
I tested on tomcat 5.0.28 and tomcat 5.5.12. In both cases, once I disabled
directory listing, I was unable to get the directory contents even with a ";" in
Details on how to disable directory listing are here: