Red Hat Bugzilla – Bug 237084
CVE-2006-3835 tomcat directory listing issue
Last modified: 2013-05-08 14:05:05 EDT
According to http://tomcat.apache.org/security-5.html
Fixed in Apache Tomcat 5.5.13, 5.0.HEAD
Directory listing CVE-2006-3835
This is expected behaviour when directory listings are enabled. The semicolon
(;) is the separator for path parameters so inserting one before a file name
changes the request into a request for a directory with a path parameter. If
directory listings are enabled, a directory listing will be shown. In response
to this and other directory listing issues, directory listings were changed to
be disabled by default.
Affects: 5.0.0-5.5.30, 5.5.0-5.5.12
Note that there's no actual fix in Tomcat 5.5.17 (as the problem is not Tomcat
related, but is caused by mod_jk). It is simply that in that release
directory listing is disabled by default, while in previous versions it
is enabled by default which mitigates this issue.
Therefore the severity of this issue for a given Tomcat package will depend on
how Tomcat is packaged and the defaults used.
Advisory text: "Directory listings were enabled by default in Tomcat. This
could lead to a minor information leak if sensitive information is stored
unprotected under the document root and the administrator did not disable
directory listings (CVE-2007-0450)"
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
Please see https://access.redhat.com/security/cve/CVE-2006-3835 for a list of other products that contain this fix.