'/WEB-INF./' Information Disclosure Vulnerability (HTTP)

Various application or web servers / products are prone to an information disclosure vulnerability.

The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application or web servers / products are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com/WEB-INF./web.xml http://example.com/web-inf./web.xml (note the trailing dot ('.') after 'WEB-INF').

The following products are known to be affected: - Sybase EA Server 4.0 - OC4J - Oracle Containers for J2EE - Orion 1.5.3 - JRun 3.0, 3.1 and JRun 4 - Macromedia / Allaire JRun - HPAS 8.0 - Hewlett Packard App Server - Pramati 3.0 - Pramati App Server - WildFly (formerly JBoss Application Server) before 10.0.0.Final - HPE B-Series SAN Network Advisor Software Running WildFly (formerly JBoss Application Server) Other products might be affected as well.

Sends a crafted HTTP GET request and checks the response.

The following vendor fixes are known: - Update WildFly to version 10.0.0.Final or later. For other products please contact the vendor for more information on possible fixes.