SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
SecurityTracker Alert ID:  1022336
SecurityTracker URL:  http://securitytracker.com/id/1022336
CVE Reference:   CVE-2009-0783   (Links to External Site)
Date:  Jun 4 2009
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1.0 to 4.1.39, 5.5.0 to 5.5.27, 6.0.0 to 6.0.18
Description:   A vulnerability was reported in Tomcat. A remote authenticated user can access other web applications on the target system.

A remote authenticated user that can deploy a web application that is the first web application loaded can view or modify web.xml, context.xml, and tld files of other web applications deployed on the target server.

Philippe Prados reported this vulnerability.

Impact:   A remote authenticated user with privileges to deploy a web application can access other web applications on the target system.
Solution:   The vendor has issued a fix (6.0.20). The fix will be included in future versions 4.1.40 and 5.5.28.
Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 6 2009 (Red Hat Issues Fix for JBoss) Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
Red Hat has released a fix for JBoss Enterprise Application Platform (JBEAP) 4.2 for Red Hat Enterprise Linux 5.
Jul 22 2009 (Red Hat Issues Fix) Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Sep 21 2009 (Red Hat Issues Fix for JBoss) Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
Red Hat has released a fix for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 and 5.
Oct 14 2009 (Red Hat Issues Fix for JBoss) Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
Red Hat has released a fix for Tomcat6 for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 and 5.
Nov 10 2009 (Red Hat Issues Fix) Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
Red Hat has issued a fix for Red Hat Application Server v2.
Dec 1 2009 (Red Hat Issues Fix for Red Hat Network Satellite Server) Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
Red Hat has issued a fix for Red Hat Network Satellite Server 5.2 and 5.3.
Dec 1 2009 (Red Hat Issues For for Red Hat Network Satellite Server) Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
Red Hat has issued a fix for Red Hat Network Satellite Server 5.1.
Nov 24 2010 (HP Issues Fix for HP-UX) Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
HP has issued a fix for HP-UX 11.23 and 11.31.



 Source Message Contents

Subject:  [SECURITY] CVE-2009-0783 Apache Tomcat Information disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-0783: Apache Tomcat information disclosure vulnerability

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 6.0.0 to 6.0.18
Tomcat 5.5.0 to 5.5.27
Tomcat 4.1.0 to 4.1.39

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
Bugs https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 and
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 allowed a web
application to replace the XML parser used by Tomcat to process web.xml,
context.xml and tld files. If a web application is the first web
application loaded, these bugs allow that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.

Mitigation:
6.0.x users should do one of the following:
 - upgrade to 6.0.20
 - apply these patches
   - http://svn.apache.org/viewvc?rev=739522&view=rev
   - http://svn.apache.org/viewvc?rev=652592&view=rev
5.5.x users should do one of the following:
 - upgrade to 5.5.28 when released
 - apply these patches
   - http://svn.apache.org/viewvc?rev=781542&view=rev
   - http://svn.apache.org/viewvc?rev=681156&view=rev
4.1.x users should do one of the following:
 - upgrade to 4.1.40 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781708&view=rev

Example:
See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an
example web application that can be used to replace the XML parser used
by Tomcat.

Credit:
The security implications of these bugs was discovered and reported to
the Apache Software Foundation by Philippe Prados.


References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html

The Apache Tomcat Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkonw6EACgkQb7IeiTPGAkM8qACgyxH+hBK4r4DprZhIqd97x/V1
/7EAnRMaJsKIoPzBQgOtOhM3vOCtyL+F
=B+Gu
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC