Bug 201915 - CVE-2006-3835 tomcat directory listing leak (RHAPS)
CVE-2006-3835 tomcat directory listing leak (RHAPS)
Product: Red Hat Application Server
Classification: Retired
Component: tomcat (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fernando Nasser
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-08-09 14:56 EDT by Marcel Holtmann
Modified: 2007-04-18 13:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-18 16:21:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2006-08-09 14:56:35 EDT
ScanAlert Security Advisory:


Apache Tomcat can be forced to reveal a complete directory listing for any
directory by requesting a mapped file extension prepended with a semicolon, a
reserved character. The file does not need to exist.
Comment 5 Deepak Bhole 2006-08-16 18:03:22 EDT
This is not a security bug (it is a bug, just not a security one..). The
directory list can be aquired with the ";" only if directory listing is allowed.
If directory listing is disabled, tomcat will show a 404 page if a ";" is in
there. Based on what I am seeing, it seems that everything after the ";" gets
cut off, and tomcat only considers the initial part. e.g.

Listing allowed:
http://site.org/ will display contents
http://site.org/;test will display contents

Listing disabled:
http://site.org/ will display 404
http://site.org/;test will display 404

Listing enabled/disabled, but index.[jsp|html|etc.] is in root
http://site.org/ will display the index
http://site.org/;test will display the index

Thus, there is no scenario where a ";" lists directory contents, but directory
contents cannnot otherwise be fetched.

Instructions to disable listing are here:

Comment 7 Deepak Bhole 2006-08-18 11:10:08 EDT
Some additional details:

This is a bug (that everything after ";" gets discarded by tomcat), but not a
security issue.

The ";" basically does not allow a user (visiting the site) to do anything they
otherwise cannot do. The crux of the argument on why this was a security issue
is that if someone put a ";" in the path, they got the directory listed.
However, if they had simply put the directory name in the URL, they could've
gotten the directory listed then too. If directory listing is disabled on the
other hand, then there is no way for any user to get the directory list, not
even with a ";"

I tested on tomcat 5.0.28 and tomcat 5.5.12. In both cases, once I disabled
directory listing, I was unable to get the directory contents even with a ";" in

Details on how to disable directory listing are here:

Note You need to log in before you can comment on or make changes to this bug.