'//WEB-INF/' Information Disclosure Vulnerability (HTTP)

Various application or web servers / products are prone to an information disclosure vulnerability.

The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application or web servers / products are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com//WEB-INF/web.xml http://example.com//web-inf/web.xml (note the double slash ('/') before 'WEB-INF').

The following products are known to be affected: - Mortbay Jetty version 6.1.5 and 6.1.6 (other older versions might be affected as well). - Apache Tomcat before version 3.2.1. - Ignite Realtime Openfire before version 3.4.4 (using an affected Jetty version). - Allaire JRUN 3.0 - JavaServer Web Dev Kit (JSWDK) 1.0.1 for Windows 2000 Other products might be affected as well.

Sends a crafted HTTP GET request and checks the response.

The following vendor fixes are known: - Update Mortbay Jetty to version 6.1.7 or later. - Update Apache Tomcat to version 3.2.1 or later. - Update Ignite Realtime Openfire to version 3.4.4 or later. For other products please contact the vendor for more information on possible fixes.