Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
|
|
SecurityTracker Alert ID: 1020623
|
|
SecurityTracker URL: http://securitytracker.com/id?1020623
|
|
CVE Reference: CVE-2008-2370
(Links to External Site)
|
Date: Aug 4 2008
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.1.0 to 4.1.37, 5.5.0 to 5.5.26, 6.0.0 to 6.0.16
|
Description: A vulnerability was reported in Tomcat. A remote user can bypass certain access restriction.
When a RequestDispatcher is used, a remote user can submit a specially crafted request to access content that is ostensibly protected
by a security constraint or by its location under the WEB-INF directory.
Stefano Di Paola of Minded Security Research Labs reported
this vulnerability.
|
Impact: A remote user can bypass certain security restrictions to access content that is ostensibly protected.
|
Solution: The vendor has issued a fixed version (6.0.18).
For version 5.5.x, a fix is available via SVN or via this patch:
http://svn.apache.org/viewvc?rev=680947&view=rev
For version 4.1.x, a fix is available via SVN or via this patch:
http://svn.apache.org/viewvc?rev=680947&view=rev (connector
only)
http://svn.apache.org/viewvc?rev=680948&view=rev
The vendor's advisory is available at:
http://tomcat.apache.org/security.html
|
Vendor URL: tomcat.apache.org/security.html (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Mark Thomas <markt@apache.org>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 01 Aug 2008 15:06:33 +0100
From: Mark Thomas <markt@apache.org>
Subject: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2008-2370: Apache Tomcat information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description:
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.
Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680949&view=rev
4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680950&view=rev
Example:
For a page that contains:
<%
pageContext.forward("/page2.jsp?somepar=someval&par="+request.getParameter("blah"
));
%>
an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml
Credit:
This issue was discovered by Stefano Di Paola of Minded Security Research
Labs.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiTGGkACgkQb7IeiTPGAkNeQACdHk1KQ98Dx45Sc+Hslw/YIBH7
8b4An1WZ30LS34Pxx4Rc+VzqhswLLbZd
=Zbvc
-----END PGP SIGNATURE-----
|
|
