Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

WEB-INF./web.xml exposed

 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I have tried this in these servers:
7.0.12
7.0.14
7.0.19

When I type in [domain]/WEB-INF./web.xml, the web.xml is exposed. How can I prevent people from seeing my web.xml?

Thanks,

Java Guy
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64835
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
By correctly naming it "WEB-INF" rather than "WEB-INF."
 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I know WEB-INF/web.xml is ok. However, a hacker will use WEB-INF./web.xml to see my web.xml. This is problem with tomcat as it seems. right?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64835
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Java D Guy wrote:However, a hacker will use WEB-INF./web.xml to see my web.xml.

So? If you don't have a "WEB-INF." folder, there's nothing to server and the hacker will get a 404.

This is problem with tomcat as it seems. right?

There is no problem to be solved.
 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am running it on windows 2008 server. It's displaying the web.xml. I am looking at it...
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64835
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then you must have a "WEB-INF." folder, or something other than Tomcat is serving the file ignoring the "." in the URL. Are you fronting Tomcat with IIS or something?

There is no way on earth that Tomcat is serving files out of WEB-INF when the URL specifies "WEB-INF.".
 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is the note from a third party compliance company:

(port 8080) Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : By making a specially-formatted request to the remote web server, it is possible to retrieve files located under the 'WEB-INF' directory. Note that this vulnerability is known to affect the Win32 versions of multiple J2EE servlet containers / application servers.

I googled it and found no mentioning of this. But it actually happens. I am only using tomcat, no iis.

Thanks,

Yong
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18156
53
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yong C Lin wrote:This is the note from a third party compliance company:

(port 8080) Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : By making a specially-formatted request to the remote web server, it is possible to retrieve files located under the 'WEB-INF' directory. Note that this vulnerability is known to affect the Win32 versions of multiple J2EE servlet containers / application servers.

I googled it and found no mentioning of this. But it actually happens. I am only using tomcat, no iis.

Thanks,

Yong


I would like to see a detailed example of this alleged exploit.

According to the J2EE standard, the WEB-INF directory is sacred and neither it, nor anything under it should ever be served under the default built-in URL processing rule that says if there's no more specific way to handle a URL, the host and context parts of the URL are stripped and the remainder used as a resource path so that the resource located there may be copied to the HTTP Response output stream.

Also according to the J2EE standard, the one and ONLY place to put the server-independent deployment description is in "/WEB-INF". Putting web.xml in "/WEB-INF.", "/CHARLIES_TOYBOX" or "/.WEB-INF" doesn't work. The webapp server is hard-coded to go to /WEB-INF/web.xml and ONLY to /WEB-INF/web.xml

You CAN serve content out of /WEB-INF, but only if you write explicit web application code that opens the resource under /WEB-INF and copies it to the HttpServletResponse stream AND tie it to a URL pattern via a rule coded in /WEB-INF/web.xml. Any webapp server that serves up content from under WEB-INF without explicit coding in the web application is defective and insecure. And non-conformant with the J2EE standard.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13061
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Multiple tries with my Tomcat 6 running on Windows Server 2008 site get me nothing but a 404 error.

Waiting for a real example....
 
Yong C Lin
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok. It turns out it's servlet mapping problem:

<servlet-mapping>
<servlet-name>FileServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

Commenting this out fixed the problem. Thanks all!
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64835
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
oy!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic