Tomcat Backslash Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
|
SecurityTracker Alert ID: 1018557 |
SecurityTracker URL: http://securitytracker.com/id/1018557
|
CVE Reference:
CVE-2007-3385
(Links to External Site)
|
Date: Aug 14 2007
|
Impact:
Disclosure of system information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 3.3 to 3.3.2, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, 6.0.0 to 6.0.13
|
Description:
A vulnerability was reported in Tomcat. A remote user can obtain session information.
The software incorrectly interprets the backslash quote (\") character sequence in a cookie value. A remote user may be able to exploit this to obtain session information.
A demonstration exploit URL is provided:
http://[target]:8080/examples/servlets/servlet/CookieExample?cookiename=HAHA&cookievalue=%5C%22FOO%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2F%3B
Tomasz Kuczynski, Poznan Supercomputing and Networking Center, and CERT/CC reported this vulnerability.
|
Impact:
A remote user can may be able to hijack sessions.
|
Solution:
The vendor has issued a fixed version (6.0.14).
|
Vendor URL: tomcat.apache.org/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: CVE-2007-3385: Handling of \" in cookies
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2007-3385: Handling of \" in cookies
Severity:
Low (Session Hi-jacking)
Vendor:
The Apache Software Foundation
Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24
5.0.0 to 5.0.30
4.1.0 to 4.1.36
3.3 to 3.3.2
Description:
Tomcat incorrectly handles the character sequence \" in a cookie
value. In some circumstances this can lead to the leaking of
information such as session ID to an attacker.
Mitigation:
Upgrade to 6.0.14
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
http://localhost:8080/examples/servlets/servlet/CookieExample?cookiename=HAHA&cookievalue=%5C%22FOO%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2F%3B
References:
http://tomcat.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGwSFlb7IeiTPGAkMRArdPAJ99AXYzSterU7oG+u8UrtQAd2lTZwCbBK2R
hwRixKaYOwWyj5kD+fLT1ls=
=hgTP
-----END PGP SIGNATURE-----
|
|