Think you have a false positive on this rule?

Sid 1-18

Summary:

    "HI_CLIENT_WEBROOT_DIR

Impact:

    Confidentiality Impact: PARTIAL Integrity Impact: NONE Availability Impact: NONE

Detailed Information:

    Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Affected Systems:

    apache tomcat 4.1.2
    apache tomcat 4.1.1
    apache tomcat 4.1.3
    apache tomcat 4.1.35
    apache tomcat 4.1.34
    apache tomcat 4.1.26
    apache tomcat 4.1.25
    apache tomcat 4.1.28
    apache tomcat 4.1.27
    apache tomcat 4.1.29
    apache tomcat 6.0.4
    apache tomcat 6.0.5
    apache tomcat 4.1.20
    apache tomcat 4.1.22
    apache tomcat 6.0.0
    apache tomcat 4.1.21
    apache tomcat 6.0.1
    apache tomcat 6.0.2
    apache tomcat 6.0.3
    apache tomcat 5.5.25
    apache tomcat 5.5.24
    apache tomcat 5.5.23
    apache tomcat 5.5.22
    apache tomcat 6.0
    apache tomcat 6.0.9
    apache tomcat 5.5.27
    apache tomcat 5.5.26
    apache tomcat 6.0.6
    apache tomcat 6.0.7
    apache tomcat 5.5.21
    apache tomcat 5.5.20
    apache tomcat 4.1.24
    apache tomcat 4.1.23
    apache tomcat 4.1.15
    apache tomcat 4.1.14
    apache tomcat 4.1.17
    apache tomcat 4.1.16
    apache tomcat 4.1.19
    apache tomcat 4.1.18
    apache tomcat 4.1.11
    apache tomcat 4.1.10
    apache tomcat 5.5.14
    apache tomcat 5.5.13
    apache tomcat 5.5.12
    apache tomcat 5.5.11
    apache tomcat 5.5.16
    apache tomcat 5.5.15
    apache tomcat 6.0.14
    apache tomcat 6.0.13
    apache tomcat 5.5.19
    apache tomcat 5.5.10
    apache tomcat 4.1.13
    apache tomcat 4.1.12
    apache tomcat 5.5.0
    apache tomcat 5.5.1
    apache tomcat 5.5.6
    apache tomcat 5.5.7
    apache tomcat 5.5.4
    apache tomcat 5.5.5
    apache tomcat 5.5.8
    apache tomcat 5.5.9
    apache tomcat 5.5.2
    apache tomcat 5.5.3
    apache tomcat 4.1.37
    apache tomcat 4.1.36
    apache tomcat 4.1.39
    apache tomcat 4.1.38
    apache tomcat 5.5.18
    apache tomcat 6.0.18
    apache tomcat 5.5.17
    apache tomcat 6.0.17
    apache tomcat 4.1.0
    apache tomcat 6.0.16
    apache tomcat 6.0.15
    apache tomcat 4.1.31
    apache tomcat 6.0.12
    apache tomcat 4.1.30
    apache tomcat 4.1.33
    apache tomcat 6.0.10
    apache tomcat 4.1.32

Attack Scenarios:

    No data available

False Positives:

    None known

False Negatives:

    None known

Corrective Action:

    Upgrade to the latest non-affected version
    Apply vendor-provided patches

Contributors:

    No data available

Additional References: