CVE-2006-3835
published 2006-07-25CVE-2006-3835: Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by…
PriorityP336medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
45.58%
98.6th percentile
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory listing probe attempts by matching HTTP requests containing a semicolon (;) immediately preceding a filename with a mapped extension (e.g., /*.jsp, /*.do) in the URL path. ↗
- →Monitor HTTP requests where everything after the semicolon in the path is discarded by Tomcat, effectively turning the request into a directory listing request — flag any request path matching the pattern /;<string>.<mapped-extension>. ↗
- →Alert on HTTP requests to Apache Tomcat 5.x (versions prior to 5.5.17) where the URL path contains a semicolon character followed by a mapped file extension such as .jsp or .do. ↗
- ·This vulnerability only triggers when directory listings are enabled in Tomcat. If directory listings are disabled, the semicolon trick returns a 404 and no directory contents are exposed. Detection/exploitation is conditional on this configuration. ↗
- ·The root cause is not strictly in Tomcat itself but is attributed to mod_jk behavior; Tomcat 5.5.17 mitigated the issue by disabling directory listings by default rather than patching the semicolon parsing. ↗
- ·Affected versions span Apache Tomcat 5.0.0–5.5.30 and 5.5.0–5.5.12; third-party products bundling affected Tomcat versions (e.g., Novell GroupWise Mobile Server, Nokia Intellisync Mobile Suite, ToutVirtual VirtualIQ Pro 3.2) are also vulnerable. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Tomcat Reveals Directories
osv·2022-05-01
CVE-2006-3835 [MEDIUM] Apache Tomcat Reveals Directories
Apache Tomcat Reveals Directories
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (`;`) preceding a filename with a mapped extension, as demonstrated by URLs ending with `/;index.jsp` and `/;help.do`.
GHSA
Apache Tomcat Reveals Directories
ghsa·2022-05-01
CVE-2006-3835 [MEDIUM] CWE-200 Apache Tomcat Reveals Directories
Apache Tomcat Reveals Directories
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (`;`) preceding a filename with a mapped extension, as demonstrated by URLs ending with `/;index.jsp` and `/;help.do`.
Red Hat
tomcat directory listing issue
vendor_redhat·2006-07-21·CVSS 5.0
CVE-2006-3835 [MEDIUM] tomcat directory listing issue
tomcat directory listing issue
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.
Statement: This issue is not a security issue in Tomcat itself, but is caused when directory listings are enabled.
Details on how to disable directory listings are available at: http://tomcat.apache.org/faq/misc.html#listing
No detection rules found.
Exploit-DB
toutvirtual virtualiq pro 3.2 - Multiple Vulnerabilities
exploitdb·2009-11-07
CVE-2009-4849 toutvirtual virtualiq pro 3.2 - Multiple Vulnerabilities
toutvirtual virtualiq pro 3.2 - Multiple Vulnerabilities
---
&redirectSecure Network - Security Research Advisory
Vuln name: ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
Systems affected: ToutVirtual VirtualIQ Professional 3.2 build 7882
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL: http://www.toutvirtual.com
Author(s): Alberto Trivero (a.trivero (at) securenetwork (dot) it [email concealed])
Claudio Criscione (c.criscione (at) securenetwork (dot) it [email concealed])
Vendor disclosure: 02/07/2009
Vendor acknowledged: 16/07/2009
Vendor patch release: notified us on 06/11/2009
Public disclosure: 07/11/2009
Advisory number: SN-2009-02
Advisory URL: http://www.securenetwork.it/advisories/sn-2009-02.txt
*** SUMMARY ***
ToutVirtual's VirtualIQ Pro is speci
Exploit-DB
Apache Tomcat 5 - Information Disclosure
exploitdb·2006-07-21
CVE-2006-3835 Apache Tomcat 5 - Information Disclosure
Apache Tomcat 5 - Information Disclosure
---
source: https://www.securityfocus.com/bid/19106/info
Apache Tomcat is prone to an information-disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to reveal a complete directory listing from any directory. Information obtained may aid in further attacks. Reports indicate that this issue may also allow attackers to obtain the source code of script files.
Apache Tomcat 5.028, 5.5.23, 5.5.9, and 5.5.7 are vulnerable to this issue; other versions may also be affected.
Novell GroupWise Mobile Server 1.0 or other versions bundled with Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2 ship with an affected version of Tomcat and are vulnerable as well.
http://www.exam
Bugzilla
CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
bugzilla·2008-01-10·CVSS 4.3
CVE-2007-5333 [MEDIUM] CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ
[bug automatically created by: add-tracking-bugs]
Discussion:
[root@rlx-3-18 RPMS]# ls tomcat5-5.0.30-0jpp_9rh.noarch.rpm
tomcat5-5.0.30-0jpp_9rh.noarch.rpm
[root@rlx-3-18 RPMS]# pwd
/tmp/mnt/RPMS
[root@rlx-3-18 RPMS]#
verified
---
This is not a bug. The real issue that was talked about is actually:
private bug Bugzilla Bug 430731: CVE-2007-5461 CVE-2007-3385 CVE-2007-3382
CVE-2007-1358 CVE-2007-1355 CVE-2007
Bugzilla
A number of tomcat issues
bugzilla·2007-05-09·CVSS 5.0
CVE-2005-3164 [MEDIUM] A number of tomcat issues
A number of tomcat issues
A number of issues affected tomcat 4.0.6 as distributed with Stronghold. Most
of these are minor severity, all need triaging:
http://tomcat.apache.org/security-4.html
Information disclosure CVE-2005-3164
Information disclosure CVE-2005-2090
Directory traversal CVE-2007-0450
Cross-site scripting CVE-2007-1358
Cross-site scripting CVE-2006-7196
Directory listing CVE-2006-3835
Cross-site scripting CVE-2005-4838
Denial of service CVE-2005-3510
Denial of service CVE-2003-0866
Information disclosure CVE-2002-2006
Discussion:
closing; Stronghold has reached end of life.
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835 CVE-2005-3510 CVE-2005-4838)
bugzilla·2007-04-30·CVSS 4.3
CVE-2005-2090 [MEDIUM] CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835 CVE-2005-3510 CVE-2005-4838)
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835 CVE-2005-3510 CVE-2005-4838)
A number of flaws affect the version of Tomcat5 shipped with RHAPS-EL3 (last
updated in RHSA-2006:0592 to 5.0.28). Please see linked bugs for details.
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0340.html
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835)
bugzilla·2007-04-19·CVSS 4.3
CVE-2005-2090 [MEDIUM] CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835)
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835)
A number of flaws affect the version of Tomcat5 shipped with RHAPS2 (last
updated in RHSA-2006:0161 to 5.5.12). Please see linked bugs for details.
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0326.html
Bugzilla
CVE-2006-3835 tomcat directory listing issue
bugzilla·2007-04-19·CVSS 5.0
CVE-2006-3835 [MEDIUM] CVE-2006-3835 tomcat directory listing issue
CVE-2006-3835 tomcat directory listing issue
According to http://tomcat.apache.org/security-5.html
Fixed in Apache Tomcat 5.5.13, 5.0.HEAD
Directory listing CVE-2006-3835
This is expected behaviour when directory listings are enabled. The semicolon
(;) is the separator for path parameters so inserting one before a file name
changes the request into a request for a directory with a path parameter. If
directory listings are enabled, a directory listing will be shown. In response
to this and other directory listing issues, directory listings were changed to
be disabled by default.
Affects: 5.0.0-5.5.30, 5.5.0-5.5.12
Discussion:
Note that there's no actual fix in Tomcat 5.5.17 (as the problem is not Tomcat
related, but is caused by mod_jk). It is simply that in that release
directory li
Bugzilla
CVE-2006-3835 tomcat directory listing leak (RHAPS)
bugzilla·2006-08-09·CVSS 5.0
CVE-2006-3835 [MEDIUM] CVE-2006-3835 tomcat directory listing leak (RHAPS)
CVE-2006-3835 tomcat directory listing leak (RHAPS)
ScanAlert Security Advisory:
http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html
Apache Tomcat can be forced to reveal a complete directory listing for any
directory by requesting a mapped file extension prepended with a semicolon, a
reserved character. The file does not need to exist.
Discussion:
This is not a security bug (it is a bug, just not a security one..). The
directory list can be aquired with the ";" only if directory listing is allowed.
If directory listing is disabled, tomcat will show a 404 page if a ";" is in
there. Based on what I am seeing, it seems that everything after the ";" gets
cut off, and tomcat only considers the initial part. e.g.
Listing allowed:
http://site.org/ will display contents
Bugzilla
CVE-2006-3835 tomcat directory listing leak (RHAPS2)
bugzilla·2006-08-07·CVSS 5.0
CVE-2006-3835 [MEDIUM] CVE-2006-3835 tomcat directory listing leak (RHAPS2)
CVE-2006-3835 tomcat directory listing leak (RHAPS2)
ScanAlert Security Advisory:
http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html
Apache Tomcat can be forced to reveal a complete directory listing for any
directory by requesting a mapped file extension prepended with a semicolon, a
reserved character. The file does not need to exist.
Discussion:
Check bug 201915 for additional information.
http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.htmlhttp://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://secunia.com/advisories/25212http://secunia.com/advisories/30899http://secunia.com/advisories/30908http://secunia.com/advisories/33668http://secunia.com/advisories/37297http://securitytracker.com/id?1016576http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1http://support.avaya.com/elmodocs2/security/ASA-2007-206.htmhttp://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540http://tomcat.apache.org/security-4.htmlhttp://tomcat.apache.org/security-5.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.sec-consult.com/289.htmlhttp://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txthttp://www.securityfocus.com/archive/1/468048/100/0/threadedhttp://www.securityfocus.com/archive/1/500396/100/0/threadedhttp://www.securityfocus.com/archive/1/500412/100/0/threadedhttp://www.securityfocus.com/archive/1/507729/100/0/threadedhttp://www.securityfocus.com/bid/19106http://www.vupen.com/english/advisories/2007/1727http://www.vupen.com/english/advisories/2008/1979/referenceshttp://www.vupen.com/english/advisories/2009/0233https://exchange.xforce.ibmcloud.com/vulnerabilities/27902https://exchange.xforce.ibmcloud.com/vulnerabilities/34183https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttp://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.htmlhttp://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://secunia.com/advisories/25212http://secunia.com/advisories/30899http://secunia.com/advisories/30908http://secunia.com/advisories/33668http://secunia.com/advisories/37297http://securitytracker.com/id?1016576http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1http://support.avaya.com/elmodocs2/security/ASA-2007-206.htmhttp://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540http://tomcat.apache.org/security-4.htmlhttp://tomcat.apache.org/security-5.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.sec-consult.com/289.htmlhttp://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txthttp://www.securityfocus.com/archive/1/468048/100/0/threadedhttp://www.securityfocus.com/archive/1/500396/100/0/threadedhttp://www.securityfocus.com/archive/1/500412/100/0/threadedhttp://www.securityfocus.com/archive/1/507729/100/0/threadedhttp://www.securityfocus.com/bid/19106http://www.vupen.com/english/advisories/2007/1727http://www.vupen.com/english/advisories/2008/1979/referenceshttp://www.vupen.com/english/advisories/2009/0233https://exchange.xforce.ibmcloud.com/vulnerabilities/27902https://exchange.xforce.ibmcloud.com/vulnerabilities/34183https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
2006-07-25
Published