SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
SecurityTracker Alert ID:  1020623
SecurityTracker URL:  http://securitytracker.com/id/1020623
CVE Reference:   CVE-2008-2370   (Links to External Site)
Date:  Aug 4 2008
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1.0 to 4.1.37, 5.5.0 to 5.5.26, 6.0.0 to 6.0.16
Description:   A vulnerability was reported in Tomcat. A remote user can bypass certain access restriction.

When a RequestDispatcher is used, a remote user can submit a specially crafted request to access content that is ostensibly protected by a security constraint or by its location under the WEB-INF directory.

Stefano Di Paola of Minded Security Research Labs reported this vulnerability.

Impact:   A remote user can bypass certain security restrictions to access content that is ostensibly protected.
Solution:   The vendor has issued a fixed version (6.0.18).

For version 5.5.x, a fix is available via SVN or via this patch:

http://svn.apache.org/viewvc?rev=680947&view=rev

For version 4.1.x, a fix is available via SVN or via this patch:

http://svn.apache.org/viewvc?rev=680947&view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948&view=rev

The vendor's advisory is available at:

http://tomcat.apache.org/security.html

Vendor URL:  tomcat.apache.org/security.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 27 2008 (Red Hat Issues Fix) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Sep 22 2008 (Red Hat Issues Fix for JBoss) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
Red Hat has released a fix for JBoss Enterprise Application Platform for Red Hat Enterprise Linux 4 and 5.
Oct 3 2008 (Red Hat Issues Fix) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
Red Hat has released a fix for Red Hat Developer Suite.
Oct 3 2008 (Red Hat Issues Fix) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
Red Hat has released a fix for Red Hat Application Server.
Dec 8 2008 (Red Hat Issues Fix) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
Red Hat has released a fix for Red Hat Network Satellite Server.
Feb 24 2009 (VMware Issues Fix for VirtualCenter) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
VMware has issued a fix for VirtualCenter.
Feb 26 2009 (Sun Issues Fix) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
Sun has issued a fix for Solaris 9 and 10 and OpenSolaris.
Oct 16 2009 (VMware Issues Fix for ESX Server) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
VMware has issued a fix for ESX Server 3.5.
Mar 31 2010 (Apache Issues Fix for CouchDB) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
Apache has issued a fix for CouchDB.



 Source Message Contents

Subject:  [CVE-2008-2370] Apache Tomcat information disclosure vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-2370: Apache Tomcat information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680949&view=rev
4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680950&view=rev

Example:
For a page that contains:
<%
pageContext.forward("/page2.jsp?somepar=someval&par="+request.getParameter("blah"));
%>
an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml

Credit:
This issue was discovered by ´╗┐Stefano Di Paola of Minded Security Research
Labs.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiTGGkACgkQb7IeiTPGAkNeQACdHk1KQ98Dx45Sc+Hslw/YIBH7
8b4An1WZ30LS34Pxx4Rc+VzqhswLLbZd
=Zbvc
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC