Tomcat 3.2.x problem with MS-DOS device names

Tue, 19 Feb 2008 20:57:01 -0800 

Hi,
 
Our application used Tomcat 3.2 and Nessus scan reported the following
CVE against it
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-0045
<BLOCKED::http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-0045> 
 
Tomcat release notes suggest fixing defect in 3.3.1a and later. We moved
to Tomcat 5.5 and still saw Nessus reporting the same vulnerability. The
Nessus scan may not be accurate since we ensured that Tomcat did not
actually freeze after the attack.  
 
However, we are now stuck in verifying the vulnerability existed in
Tomcat 3.2. Have tried testing with a sample servlet - it returns a 404
Not Found error on requests like http://[ip <BLOCKED::http://[ip/>
addr]:8080/test/aux.jsp. Traces show something like
java.io.IOException: Bad pathname
        at java.io.WinNTFileSystem.canonicalize0(Native Method)
        at
java.io.Win32FileSystem.canonicalize(Win32FileSystem.java:354)
        at java.io.File.getCanonicalPath(File.java:513)
        at org.apache.tomcat.util.FileUtil.safePath(FileUtil.java:184)
        at org.apache.tomcat.core.Context.getRealPath(Context.java:797)
        at
org.apache.tomcat.facade.ServletContextFacade.getRealPath(ServletCont
extFacade.java:136)
        at
org.apache.jasper.JspEngineContext.getRealPath(JspEngineContext.java:
359)
....
2008-02-19 10:18:05 - Ctx( /test ): 404 R( /test + /aux.jsp + null) JSP
file not
 found
2008-02-19 10:18:05 - Ctx( /test ): Handler
tomcat.notFoundHandler(null/null) to
mcat.notFoundHandler
 
on such requests. And even with limiting the number of threads, Tomcat
does not freeze. And thread dumps dont indicate anything wrong.
 
Have tried it both on Windows 2000 server and Windows XP. Is there any
dependency on Windows versions?
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-0045
<BLOCKED::http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-0045>  seems to
suggest it occurs in certain Windows systems while
http://xforce.iss.net/xforce/xfdb/12102
<BLOCKED::http://xforce.iss.net/xforce/xfdb/12102>  says it occurs in
all versions of Windows.
 
http://marc.info/?l=tomcat-dev&m=101055029706766&w=2
<http://marc.info/?l=tomcat-dev&m=101055029706766&w=2>  - This mail
thread is refering to some similar/same(?) bug and suggests even Windows
NT, 2000 have a problem but may be Tomcat 3.2.4 doesnt show the problem.
 
Does anyone remember if this vulnerability can be triggered in Tomcat
3.2 and how? Any pointers to the bug fix in subversion would also help.
 
Regards
Mamatha

Reply via email to