Vulnerability Detection Result

It was possible to read the file "WEB-INF/web.xml" through the ajp13 connector.

Result:

AB 5  È  OK       text/html;charset=ISO-8859-1     en-US AB …  <!DOCTYPE html><html><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta http-equiv="X-UA-Compatible" content="IE=7,chrome=1"><title>CRM 后台管理系统 - 登录</title><!--[if lt IE 8]>
  <script src="//cdn.bootcss.com/json3/3.3.2/json3.min.js"></script>
  <![endif]--><script>window.API_PREFIX = '';</script><link href="/css/vendor-8ed87f5f.css" rel="stylesheet"><link href="/css/login-cb81c251.css" rel="stylesheet"></head><body><div class="login-main"><div class="login-page"><img class="login-bg" src="/images/login_bg-cce7432a.gif"><form id="form"><input name="mobile" class="mobile" placeholder="管理员账号"> <input type="password" class="password" name="password" placeholder="密码"><p class="invalid-tip"></p><div class="btn"><button class="button" type="submit">立即登录</button></div></form></div><div class="footer">2016 浙江禾连网络科技有限公司 浙ICP备15005165号-1</div></div><script type="text/javascript">!function(e){var _=window.webpackJsonp;window.webpackJsonp=function(r,t,o){for(var u,c,i,p=0,a=[];p<r.length;p++)c=r[p],n[c]&&a.push(n[c][0]),n[c]=0;for(u in t)Object.prototype.hasOwnProperty.call(t,u)&&(e[u]=t[u]);for(_&&_(r,t,o);a.length;)a.shift()();if(o)for(p=0;p<o.length;p++)i=__webpack_require__(__webpack_require__.s=o[p]);return i};var r={},n={7:0};function __webpack_require__(_){if(r[_])return r[_].exports;var n=r[_]={i:_,l:!1,exports:{}};return e[_].call(n.exports,n,n.exports,__webpack_require__),n.l=!0,n.exports}__webpack_require__.m=e,__webpack_require__.c=r,__webpack_require__.d=function(e,_,r){__webpack_require__.o(e,_)||Object.defineProperty(e,_,{configurable:!1,enumerable:!0,get:r})},__webpack_require__.n=function(e){var _=e&&e.__esModule?function(){return e["default"]}:function(){return e};return __webpack_require__.d(_,"a",_),_},__webpack_require__.o=function(e,_){return Object.prototype.hasOwnProperty.call(e,_)},__webpack_require__.p="/",__webpack_require__.oe=function(e){throw e}}([]);</script><script type="text/javascript" src="/js/vendor-fdc77e81.js"></script><script type="text/javascript" src="/js/login-5eb12d1a.js"></script></body></html> AB      AB

SolutionSolution type:  VendorFix

Update to version 7.0.100, 8.5.51, 9.0.31 or later.

Affected Software/OSApache Tomcat versions prior 7.0.100, 8.5.51 or 9.0.31 when the AJP connector is enabled.

Vulnerability InsightApache Tomcat server has a file containing vulnerability, which can be used by an attacker to read or include any files in all webapp directories on Tomcat, such as webapp configuration files or source code.

Vulnerability Detection MethodSends a crafted AJP13 request and checks the response.

Details: Apache Tomcat AJP RCE Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.143545)

Version used: 2020-02-25T10:59:55+0000