PT-2006-4694 · Apache · Apache Tomcat

Published

2006-07-25

Updated

2022-05-01

CVE-2006-3835

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 5.5.17

Description The issue allows remote attackers to list directories by inserting a semicolon (;) before a filename with a mapped extension. This is possible because the semicolon is used as a separator for path parameters, which changes the request into a directory request with a path parameter. If directory listings are enabled, a directory listing will be shown. This behavior was considered a security concern and led to changes in the default settings.

Recommendations For Apache Tomcat versions prior to 5.5.17, consider disabling directory listings to minimize the risk of exploitation. As a permanent fix, update to version 5.5.17 or later, where directory listings are disabled by default.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2006-3835

GHSA-WFJ7-MHR5-PCWQ

RHSA-2007:0326

RHSA-2007:0340

RHSA-2007:1069

RHSA-2008:0261

RHSA-2008:0524

RHSA-2010:0602

Affected Products

Apache Tomcat

PT-2006-4694 · Apache · Apache Tomcat

CVE-2006-3835

Weakness Enumeration

Related Identifiers

Affected Products

References · 46