Disclosure: Apache Tomcat 4.0.3 MS-DOS Device Request Handling Remote Path Disclosure

[This was originally sent to CVE and Nikto and then published on OSVDB, now gone. It was discovered in an old version of Apache Tomcat and the solution had existed for several years. VulnDB 20033]

From: security curmudgeon
To: Steven Christey , Sullo of Nikto
Date: Thu, 13 Oct 2005 14:21:33 -0400 (EDT)
Subject: Apache Tomcat 4.0.3 MS-DOS Device Request Path Disclosure

Didn’t see this in CVE or OSVDB. There is a known issue with several web servers including Resin, that when requesting a file that matches a MS-DOS file name, it will error out. Such errors will sometimes include installation path information.

While testing a few servers, the Nikto check for this triggered, but the server wasn’t Resin:

Nikto check that triggered:

  • OSVDB-0: GET /lpt9.xtp : Resin 2.1 reveals the server path when a DOS device is requested.

Actual server:

  • Server: Apache Tomcat/4.0.3 (HTTP/1.1 Connector)

To verify:
Apache Tomcat/4.0.3 – HTTP Status 500 – Internal Server Error

type Exception report

message Internal Server Error

description The server encountered an internal error (Internal Server Error) that prevented it from fulfilling this request.


java.io.FileNotFoundException: C:\Program
Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\ROOT\lpt9.xtp (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(Unknown Source)
at java.io.FileInputStream.(Unknown Source)

Leave a Reply

%d bloggers like this: