SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat Backslash Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
SecurityTracker Alert ID:  1018557
SecurityTracker URL:  http://securitytracker.com/id/1018557
CVE Reference:   CVE-2007-3385   (Links to External Site)
Date:  Aug 14 2007
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3 to 3.3.2, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, 6.0.0 to 6.0.13
Description:   A vulnerability was reported in Tomcat. A remote user can obtain session information.

The software incorrectly interprets the backslash quote (\") character sequence in a cookie value. A remote user may be able to exploit this to obtain session information.

A demonstration exploit URL is provided:

http://[target]:8080/examples/servlets/servlet/CookieExample?cookiename=HAHA&cookievalue=%5C%22FOO%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2F%3B

Tomasz Kuczynski, Poznan Supercomputing and Networking Center, and CERT/CC reported this vulnerability.
Impact:   A remote user can may be able to hijack sessions.
Solution:   The vendor has issued a fixed version (6.0.14).
Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 26 2007 (Red Hat Issues Fix) Tomcat Backslash Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Nov 6 2007 (Red Hat Issues Fix for JBoss) Tomcat Backslash Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
Red Hat has released a fix for JBoss on Red Hat Application Stack.
Apr 28 2008 (Red Hat Issues Fix) Tomcat Backslash Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
Red Hat has released a fix for Red Hat Developer Suite v.3.
Jul 1 2008 (Apple Issues Fix for Mac OS X) Tomcat Backslash Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
Apple has issued a fix for Mac OS X.


 Source Message Contents
Subject:  CVE-2007-3385: Handling of \" in cookies

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-3385: Handling of \" in cookies

Severity:
Low (Session Hi-jacking)

Vendor:
The Apache Software Foundation

Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24
5.0.0 to 5.0.30
4.1.0 to 4.1.36
3.3 to 3.3.2

Description:
Tomcat incorrectly handles the character sequence \" in a cookie
value. In some circumstances this can lead to the leaking of
information such as session ID to an attacker.

Mitigation:
Upgrade to 6.0.14

Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.

Example:
http://localhost:8080/examples/servlets/servlet/CookieExample?cookiename=HAHA&cookievalue=%5C%22FOO%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2F%3B

References:
http://tomcat.apache.org/security.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGwSFlb7IeiTPGAkMRArdPAJ99AXYzSterU7oG+u8UrtQAd2lTZwCbBK2R
hwRixKaYOwWyj5kD+fLT1ls=
=hgTP
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC