Jakarta Tomcat versions prior to 3.3.1a, when used with JDK 1.3.1 or earlier, allow remote attackers to list directories even with an index.html or other file present via a URL containing a null character. Tomcat also uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
HTTP requests containing binary null or backslash characters are parsed incorrectly by Tomcat's built-in web server. This may allow certain commands to retrieve the contents of files and directories that should not be visible to the outside. The source of .jsp files may be retrieved using this method.
The following GET request causes the directory listing of the web root to be displayed by Tomcat:
GET /.jsp HTTP/1.0
The servlet engine retrieves the directory listing and files as a .jsp file. Attackers may be able to exploit this vulnerability into running arbitrary Java code. A file whose name contains JSP tags could be run when a directory listing request is sent. HTML and other types of files with Java code embedded within may be compiled in the same way.
Remote users may also force .jsp files to be interpreted as plain HTML, displaying the source with the following command:
Administrators are advised to review the Important Security Note at the update link in Patches/Software. The update version includes example applications that are vulnerable to known cross-site scripting vulnerabilities. These examples should be removed.
Cross-site scripting vulnerabilities in the examples and ROOT web applications for Jakarta Tomcat 3.x through 3.3.1 allow remote attackers to execute arbitrary web script.