"Apache Tomcat Example Scripts Information Leakage" Vulnerabilities

Document ID : KB000007878
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Security scans may report some example scripts/files that come with Apache Tomcat as being potential attack vector.

A scan result may look like this:
Apache Tomcat Example Scripts Information Leakage
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection.
* /examples/jsp/num/numguess.jsp
* /examples/jsp/dates/date.jsp
* /examples/jsp/snp/snoop.jsp
* /examples/jsp/error/error.html
* /examples/jsp/sessions/carts.html
* /examples/jsp/checkbox/check.html
* /examples/jsp/colors/colors.html
* /examples/jsp/cal/login.html
* /examples/jsp/include/include.jsp
* /examples/jsp/forward/forward.jsp
* /examples/jsp/plugin/plugin.jsp
* /examples/jsp/jsptoserv/jsptoservlet.jsp
* /examples/jsp/simpletag/foo.jsp
* /examples/jsp/mail/sendmail.jsp
* /examples/servlet/HelloWorldExample
* /examples/servlet/RequestInfoExample
* /examples/servlet/RequestHeaderExample
* /examples/servlet/RequestParamExample
* /examples/servlet/CookieExample
* /examples/servlet/JndiServlet
* /examples/servlet/SessionExample
* /tomcat-docs/appdev/sample/web/hello.jsp

Resolution:

To correct this, do the following:

  1. Stop CAAIPTomcat
  2. Delete:
    • X:\CA\VirtualAssurance\tomcat\webapps\docs
    • X:\CA\VirtualAssurance\tomcat\webapps\examples
    • X:\CA\VirtualAssurance\tomcat\webapps\host-manager
    • X:\CA\VirtualAssurance\tomcat\webapps\manager
    • X:\CA\VirtualAssurance\tomcat\work\Catalina\localhost\docs
    • X:\CA\VirtualAssurance\tomcat\work\Catalina\localhost\examples
    • X:\CA\VirtualAssurance\tomcat\work\Catalina\localhost\host-manager
    • X:\CA\VirtualAssurance\tomcat\work\Catalina\localhost\manager
  3. Restart CAAIPTomcat

 

Once this is completed, a re-scan should no longer report this vulnerability.