Re: [Full-disclosure] [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
- From: Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 04 Jun 2009 12:48:19 -0400
-----BEGIN PGP SIGNED MESSAGE-----
On 6/3/2009 11:42 AM, Mark Thomas wrote:
CVE-2009-0580: Tomcat information disclosure vulnerability
I know I'm likely to get a vague response, but could you provide some
more info about this issue?
Due to insufficient error checking in some authentication classes,
Tomcat allows for the enumeration (brute force testing) of usernames by
supplying illegally URL encoded passwords.
I'm not sure how the patch (I read the patch for TC5.5
DataSourceRealm.java) changes anything at all: it appears to be merely a
No changes are made to the behavior of Tomcat, since the same null is
returned to the caller if the credentials do not match.
I don't see any information disclosure vulnerability in the first place,
and I don't see how your patch would have fixed it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: [Full-disclosure] CYBSEC-Labs: New sapyto release - Windows support and more!
- Next by Date: [Full-disclosure] [ MDVSA-2009:128 ] libmodplug
- Previous by thread: [Full-disclosure] CYBSEC-Labs: New sapyto release - Windows support and more!
- Next by thread: [Full-disclosure] [ MDVSA-2009:128 ] libmodplug