Eclipse Jetty Configuration Disclosure Scanner
This scanner detects the use of Eclipse Jetty Configuration Disclosure in digital assets. Eclipse Jetty server enables directory listing, revealing directory structure and file names to unauthenticated users. Detecting this helps in securing sensitive files and preventing unauthorized access.
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
3 weeks 19 hours
Scan only one
URL
Toolbox
The Eclipse Jetty server is a widely-used web server and servlet container known for its scalability and embeddability in Java applications. It serves many purposes, including hosting web applications, serving static files, and providing HTTP services. Jetty is used by developers for its lightweight footprint and ease of integration, making it ideal for applications that require embedded HTTP functionality. Large-scale software deployed in embedded systems also relies on Jetty given its compatibility and performance.
The vulnerability in Eclipse Jetty arises from directory listing being enabled, which exposes directory structures to unauthenticated users. This access can reveal the presence of sensitive files, backup files, and crucial configuration files, potentially aiding attackers in gaining unauthorized information. Identifying and addressing this vulnerability helps in safeguarding web servers from reconnaissance activities by malicious entities.
The technical detail involves the Jetty server having directory listing enabled. This means the server's directories display their contents when accessed directly through a browser without appropriate configurations. Vulnerable endpoints typically include directories like /static/, /resources/, /assets/, and /files/, where the server should return a listing of files. An unauthenticated visitor can access file names and structures, increasing risk.
If malicious individuals exploit this vulnerability, they could enumerate files, discover hidden resources, or access backup and configuration files, which may lead to unauthorized data exposure. Such exposure can be detrimental, potentially leading to further breaches at the application layer, resulting in data theft or loss.
REFERENCES
- https://www.eclipse.org/jetty/documentation/jetty-11/operations-guide/index.html
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information
- https://cwe.mitre.org/data/definitions/548.html
