edit-icon download-icon

[Vulnerability notice] Example scripts information leakage vulnerabilities in Apache Tomcat

Last Updated: Nov 23, 2017

Tomcat is a lightweight open-source web application server. It is widely used in small and medium-sized systems and scenarios with few concurrent access. It is also the first choice for JSP program development and debugging.

Description

In general, you can directly download and extract the source code package to use Tomcat.

By default, the servlets-examples and tomcat-docs directories are included in the Tomcat source code package. These directory contain a number of examples, but some of them have security risks.

For example, the session example (/examples/servlets/servlet/SessionExample) allows users to manipulate the session. Hackers may exploit this sample to bypass website authentication and directly log on to the backend.

Affected versions

All versions of Tomcat

Fix

Because the example feature is not generally required, we recommend that you directly delete the servlets-examples and tomcat-docs directories after the deployment.

Note: Make a backup before making any changes, or create a hard disk snapshot for ECS.

Learn more: Harden Tomcat.

Thank you! We've received your feedback.