Tomcat UTF-8 'AllowLinking' Java Bug Lets Remote Users Traverse the Directory
SecurityTracker Alert ID: 1020665|
SecurityTracker URL: http://securitytracker.com/id/1020665
(Links to External Site)
Date: Aug 12 2008
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 6.0.0 - 6.0.16|
A vulnerability was reported in Tomcat. A remote user can view files on the target system.|
A remote user can supply a specially crafted request to view files on target system that are located outside of the document directory.
If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8", the system may be vulnerable.
A demonstration exploit URL is provided:
A remote user can view files on the target system.|
The vendor has issued a fixed version (6.0.18).|
The vendor's advisory is available at:
Vendor URL: tomcat.apache.org/security.html (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: 11 Aug 2008 08:52:44 -0000|
Subject: Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability
Title: Apache Tomcat Directory Traversal Vulnerability
Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)
Impact: Remote File Disclosure
Vulnerable Version: prior to 6.0.18
- Best Choice: Upgrade to 6.0.18 (http://tomcat.apache.org)
- Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability.
- Tomcat 5.5.x and 4.1.x Users: The fix will be included in the next releases. Please apply the hot fix until next release.
- 07.17.2008: Initiate notify (To Apache Security Team)
- 08.02.2008: Responsed this problem fixed and released new version
- 08.05.2008: Notify disclosure (To Apache Tomcat Security Team)
- 08.10.2008: Responsed with some suggestions.
As Apache Security Team, this problem occurs because of JAVA side.
If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as
'UTF-8', an attacker can obtain your important system files.(e.g. /etc/passwd)
If your webroot directory has three depth(e.g /usr/local/wwwroot), An
attacker can access arbitrary files as below. (Proof-of-concept)