Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC tomcat directory traversal attempt"; flags:A+; uricontent:"%00.jsp"; reference:bugtraq,2518;  classtype:web-application-attack; sid:1055; rev:2;)
--

Sid:
1055

--

Summary:
A directory traversal attack against Apache Tomcat was detected.

--
Impact:
An attacker may have been able to retrieve a directory listing or the contents
of any file readable by the web user, including files outside of the web root.

--
Detailed Information:
Apache Tomcat is a Java servlet container, commonly used for serving JSP-based
web applications.  Some versions of
Apache Tomcat contain a vulnerability that can allow unauthorized directory
listings and content retrievals of files.  Any file that is available to the
web server user can be retrieved, including files outside of the web root.

--
Attack Scenarios:
Attacker sends a simple URL like the following:
http://target:8080/%2e%2e/%2e%2e%5cyourfilehere%00.jsp

--
Ease of Attack:
Very simple handcrafted URL.

--
False Positives:

--
False Negatives:

--
Corrective Action:
Examine the packet to see if a web request was being done.  Try to
determine what the requested file was, and determine
from the web server's configuration whether it was a threat or not
(e.g., whether the requested file even existed and whether the web
server was vulnerable to such attacks).

--
Contributors:

--
Additional References:
Bugtraq:  BID 2518
