GeeCON Prague 2014*
The moose likes Tomcat and the fly likes WEB-INF./web.xml exposed Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Tomcat
Bookmark "WEB-INF./web.xml exposed" Watch "WEB-INF./web.xml exposed" New topic
Author

WEB-INF./web.xml exposed

Yong C Lin
Greenhorn

Joined: Jul 28, 2011
Posts: 5
Hi,
I have tried this in these servers:
7.0.12
7.0.14
7.0.19

When I type in [domain]/WEB-INF./web.xml, the web.xml is exposed. How can I prevent people from seeing my web.xml?

Thanks,

Java Guy
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61304
    
  66

By correctly naming it "WEB-INF" rather than "WEB-INF."


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Yong C Lin
Greenhorn

Joined: Jul 28, 2011
Posts: 5
I know WEB-INF/web.xml is ok. However, a hacker will use WEB-INF./web.xml to see my web.xml. This is problem with tomcat as it seems. right?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61304
    
  66

Java D Guy wrote:However, a hacker will use WEB-INF./web.xml to see my web.xml.

So? If you don't have a "WEB-INF." folder, there's nothing to server and the hacker will get a 404.

This is problem with tomcat as it seems. right?

There is no problem to be solved.
Yong C Lin
Greenhorn

Joined: Jul 28, 2011
Posts: 5
I am running it on windows 2008 server. It's displaying the web.xml. I am looking at it...
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61304
    
  66

Then you must have a "WEB-INF." folder, or something other than Tomcat is serving the file ignoring the "." in the URL. Are you fronting Tomcat with IIS or something?

There is no way on earth that Tomcat is serving files out of WEB-INF when the URL specifies "WEB-INF.".
Yong C Lin
Greenhorn

Joined: Jul 28, 2011
Posts: 5
This is the note from a third party compliance company:

(port 8080) Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : By making a specially-formatted request to the remote web server, it is possible to retrieve files located under the 'WEB-INF' directory. Note that this vulnerability is known to affect the Win32 versions of multiple J2EE servlet containers / application servers.

I googled it and found no mentioning of this. But it actually happens. I am only using tomcat, no iis.

Thanks,

Yong
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16093
    
  21

Yong C Lin wrote:This is the note from a third party compliance company:

(port 8080) Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : By making a specially-formatted request to the remote web server, it is possible to retrieve files located under the 'WEB-INF' directory. Note that this vulnerability is known to affect the Win32 versions of multiple J2EE servlet containers / application servers.

I googled it and found no mentioning of this. But it actually happens. I am only using tomcat, no iis.

Thanks,

Yong


I would like to see a detailed example of this alleged exploit.

According to the J2EE standard, the WEB-INF directory is sacred and neither it, nor anything under it should ever be served under the default built-in URL processing rule that says if there's no more specific way to handle a URL, the host and context parts of the URL are stripped and the remainder used as a resource path so that the resource located there may be copied to the HTTP Response output stream.

Also according to the J2EE standard, the one and ONLY place to put the server-independent deployment description is in "/WEB-INF". Putting web.xml in "/WEB-INF.", "/CHARLIES_TOYBOX" or "/.WEB-INF" doesn't work. The webapp server is hard-coded to go to /WEB-INF/web.xml and ONLY to /WEB-INF/web.xml

You CAN serve content out of /WEB-INF, but only if you write explicit web application code that opens the resource under /WEB-INF and copies it to the HttpServletResponse stream AND tie it to a URL pattern via a rule coded in /WEB-INF/web.xml. Any webapp server that serves up content from under WEB-INF without explicit coding in the web application is defective and insecure. And non-conformant with the J2EE standard.


Customer surveys are for companies who didn't pay proper attention to begin with.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12791
    
    5
Multiple tries with my Tomcat 6 running on Windows Server 2008 site get me nothing but a 404 error.

Waiting for a real example....
Yong C Lin
Greenhorn

Joined: Jul 28, 2011
Posts: 5
Ok. It turns out it's servlet mapping problem:

<servlet-mapping>
<servlet-name>FileServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

Commenting this out fixed the problem. Thanks all!
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61304
    
  66

oy!
 
GeeCON Prague 2014
 
subject: WEB-INF./web.xml exposed