SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat Single Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
SecurityTracker Alert ID:  1018556
SecurityTracker URL:  http://securitytracker.com/id/1018556
CVE Reference:   CVE-2007-3382   (Links to External Site)
Date:  Aug 14 2007
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3 to 3.3.2, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, 6.0.0 to 6.0.13
Description:   A vulnerability was reported in Tomcat. A remote user can obtain session information.

The software incorrectly interprets a single quote (') character in a cookie value as a delimiter. A remote user may be able to exploit this to hijack sessions.

A demonstration exploit URL is provided:

http://[target]:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKER&cookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B

Tomasz Kuczynski, Poznan Supercomputing and Networking Center and CERT/CC reported this vulnerability.
Impact:   A remote user can may be able to hijack sessions.
Solution:   The vendor has issued a fixed version (6.0.14).
Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 26 2007 (Red Hat Issues Fix) Tomcat Single Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Nov 6 2007 (Red Hat Issues Fix for JBoss) Tomcat Single Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
Red Hat has released a fix for JBoss on Red Hat Application Stack.
Apr 28 2008 (Red Hat Issues Fix) Tomcat Single Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
Red Hat has released a fix for Red Hat Developer Suite v.3.
Jul 1 2008 (Apple Issues Fix for Mac OS X) Tomcat Single Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
Apple has issued a fix for Mac OS X.


 Source Message Contents
Subject:  CVE-2007-3382: Handling of cookies containing a ' character

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-3382: Handling of cookies containing a ' character

Severity:
Low (Session Hi-jacking)

Vendor:
The Apache Software Foundation

Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24
5.0.0 to 5.0.30
4.1.0 to 4.1.36
3.3 to 3.3.2

Description:
Tomcat incorrectly treats a single quote character (') in a cookie
value as a delimiter. In some circumstances this can lead to the
leaking of information such as session ID to an attacker.

Mitigation:
Upgrade to 6.0.14

Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.

Example:
http://localost:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKER&cookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B

References:
http://tomcat.apache.org/security.html

Mark Thomas


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGwSFVb7IeiTPGAkMRAjkwAKDnu+C08WRZazmZfzunFeHcitsvnACg3CtP
6c6FCxbFOcfxhqqayg8kdUI=
=MkDj
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC