• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

WEB-INF./web.xml exposed

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I have tried this in these servers:
7.0.12
7.0.14
7.0.19

When I type in [domain]/WEB-INF./web.xml, the web.xml is exposed. How can I prevent people from seeing my web.xml?

Thanks,

Java Guy
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
By correctly naming it "WEB-INF" rather than "WEB-INF."
 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I know WEB-INF/web.xml is ok. However, a hacker will use WEB-INF./web.xml to see my web.xml. This is problem with tomcat as it seems. right?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Java D Guy wrote:However, a hacker will use WEB-INF./web.xml to see my web.xml.


So? If you don't have a "WEB-INF." folder, there's nothing to server and the hacker will get a 404.

This is problem with tomcat as it seems. right?


There is no problem to be solved.
 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am running it on windows 2008 server. It's displaying the web.xml. I am looking at it...
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Then you must have a "WEB-INF." folder, or something other than Tomcat is serving the file ignoring the "." in the URL. Are you fronting Tomcat with IIS or something?

There is no way on earth that Tomcat is serving files out of WEB-INF when the URL specifies "WEB-INF.".
 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is the note from a third party compliance company:

(port 8080) Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : By making a specially-formatted request to the remote web server, it is possible to retrieve files located under the 'WEB-INF' directory. Note that this vulnerability is known to affect the Win32 versions of multiple J2EE servlet containers / application servers.

I googled it and found no mentioning of this. But it actually happens. I am only using tomcat, no iis.

Thanks,

Yong
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Yong C Lin wrote:This is the note from a third party compliance company:

(port 8080) Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : By making a specially-formatted request to the remote web server, it is possible to retrieve files located under the 'WEB-INF' directory. Note that this vulnerability is known to affect the Win32 versions of multiple J2EE servlet containers / application servers.

I googled it and found no mentioning of this. But it actually happens. I am only using tomcat, no iis.

Thanks,

Yong



I would like to see a detailed example of this alleged exploit.

According to the J2EE standard, the WEB-INF directory is sacred and neither it, nor anything under it should ever be served under the default built-in URL processing rule that says if there's no more specific way to handle a URL, the host and context parts of the URL are stripped and the remainder used as a resource path so that the resource located there may be copied to the HTTP Response output stream.

Also according to the J2EE standard, the one and ONLY place to put the server-independent deployment description is in "/WEB-INF". Putting web.xml in "/WEB-INF.", "/CHARLIES_TOYBOX" or "/.WEB-INF" doesn't work. The webapp server is hard-coded to go to /WEB-INF/web.xml and ONLY to /WEB-INF/web.xml

You CAN serve content out of /WEB-INF, but only if you write explicit web application code that opens the resource under /WEB-INF and copies it to the HttpServletResponse stream AND tie it to a URL pattern via a rule coded in /WEB-INF/web.xml. Any webapp server that serves up content from under WEB-INF without explicit coding in the web application is defective and insecure. And non-conformant with the J2EE standard.
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Multiple tries with my Tomcat 6 running on Windows Server 2008 site get me nothing but a 404 error.

Waiting for a real example....
 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok. It turns out it's servlet mapping problem:

<servlet-mapping>
<servlet-name>FileServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

Commenting this out fixed the problem. Thanks all!
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
oy!
 
reply
    Bookmark Topic Watch Topic
  • New Topic