Bug 237084 (CVE-2006-3835) - CVE-2006-3835 tomcat directory listing issue
Summary: CVE-2006-3835 tomcat directory listing issue
Alias: CVE-2006-3835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: All
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 237086 237090 238402 390331 390341 390351 390361 414311 430730 430731 449337 470236 470237
Blocks: 444136
TreeView+ depends on / blocked
Reported: 2007-04-19 12:09 UTC by Mark J. Cox
Modified: 2021-11-12 19:33 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-05-08 18:05:05 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:1069 0 normal SHIPPED_LIVE Moderate: tomcat security update for Red Hat Network Satellite Server 2007-11-26 13:56:32 UTC
Red Hat Product Errata RHSA-2010:0602 0 normal SHIPPED_LIVE Moderate: Red Hat Certificate System 7.3 security update 2010-08-05 14:04:51 UTC

Description Mark J. Cox 2007-04-19 12:09:31 UTC
According to http://tomcat.apache.org/security-5.html

Fixed in Apache Tomcat 5.5.13, 5.0.HEAD

Directory listing CVE-2006-3835

This is expected behaviour when directory listings are enabled. The semicolon
(;) is the separator for path parameters so inserting one before a file name
changes the request into a request for a directory with a path parameter. If
directory listings are enabled, a directory listing will be shown. In response
to this and other directory listing issues, directory listings were changed to
be disabled by default.

Affects: 5.0.0-5.5.30, 5.5.0-5.5.12

Comment 1 Mark J. Cox 2007-04-19 12:13:30 UTC
Note that there's no actual fix in Tomcat 5.5.17 (as the problem is not Tomcat 
related, but is caused by mod_jk). It is simply that in that release 
directory listing is disabled by default, while in previous versions it 
is enabled by default which mitigates this issue.

Therefore the severity of this issue for a given Tomcat package will depend on
how Tomcat is packaged and the defaults used.

Comment 2 Mark J. Cox 2007-04-23 11:03:00 UTC
Advisory text: "Directory listings were enabled by default in Tomcat.  This
could lead to a minor information leak if sensitive information is stored
unprotected under the document root and the administrator did not disable
directory listings (CVE-2007-0450)"

Comment 8 errata-xmlrpc 2010-08-04 21:32:31 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html

Comment 9 Vincent Danen 2013-05-08 18:05:05 UTC
Please see https://access.redhat.com/security/cve/CVE-2006-3835 for a list of other products that contain this fix.

Note You need to log in before you can comment on or make changes to this bug.