 |
Startseite ▼ Bookkeeping
Online ▼ Sicherheits
Überprüfungs ▼
Verwaltetes
DNS ▼
Info
Bestellen/Erneuern
FAQ
AUP
Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password Netzwerk
Überwachung ▼
Enterprise
Erweiterte
Standard
Gratis Test
FAQ
Preis/Funktionszusammenfassung
Bestellen
Beispiele
Konfigurieren/Status Alarm Profile | ||
| Test Kennung: | 1.3.6.1.4.1.25623.1.0.117195 |
| Kategorie: | Web Servers |
| Titel: | '//WEB-INF/' Information Disclosure Vulnerability (HTTP) |
| Zusammenfassung: | Various application or web servers / products are prone to an; information disclosure vulnerability. |
| Beschreibung: | Summary: Various application or web servers / products are prone to an information disclosure vulnerability. Vulnerability Insight: The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application or web servers / products are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com//WEB-INF/web.xml http://example.com//web-inf/web.xml (note the double slash ('/') before 'WEB-INF'). Vulnerability Impact: Based on the information provided in this file an attacker might be able to gather additional info and / or sensitive data about the application / the application / web server. Affected Software/OS: The following products are known to be affected: - Mort Bay Jetty version 6.1.5 and 6.1.6 (other older versions might be affected as well). - Apache Tomcat before version 3.2.1. - Ignite Realtime Openfire before version 3.4.4 (using an affected Jetty version). - Allaire JRUN 3.0 - JavaServer Web Dev Kit (JSWDK) 1.0.1 for Windows 2000 Other products might be affected as well. Solution: The following vendor fixes are known: - Update Mort Bay Jetty to version 6.1.7 or later. - Update Apache Tomcat to version 3.2.1 or later. - Update Ignite Realtime Openfire to version 3.4.4 or later. For other products please contact the vendor for more information on possible fixes. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Querverweis: |
Common Vulnerability Exposure (CVE) ID: CVE-2000-1050 Allaire Security Bulletin: ASB00-027 http://www.allaire.com/handlers/index.cfm?ID=17966&Method=Full Bugtraq: 20001023 Allaire's JRUN Unauthenticated Access to WEB-INF directory (Google Search) http://marc.info/?l=bugtraq&m=97236316510117&w=2 http://www.osvdb.org/500 XForce ISS Database: allaire-jrun-webinf-access(5407) https://exchange.xforce.ibmcloud.com/vulnerabilities/5407 Common Vulnerability Exposure (CVE) ID: CVE-2001-0404 Bugtraq: 20010328 CHINANSL Security Advisory(CSA-200106) (Google Search) http://marc.info/?l=bugtraq&m=98583089425166&w=2 Common Vulnerability Exposure (CVE) ID: CVE-2007-6672 BugTraq ID: 27117 http://www.securityfocus.com/bid/27117 CERT/CC vulnerability note: VU#553235 http://www.kb.cert.org/vuls/id/553235 http://www.igniterealtime.org/community/message/163752 http://osvdb.org/39855 http://secunia.com/advisories/28322 http://secunia.com/advisories/28547 http://www.vupen.com/english/advisories/2008/0079 |
| Copyright | Copyright (C) 2021 Greenbone AG |
| Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten. |