[CVE-2008-2370] Apache Tomcat information disclosure vulnerability

From: Mark Thomas <markt@xxxxxxxxxx>
Date: Fri, 01 Aug 2008 15:06:33 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-2370: Apache Tomcat information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680949&view=rev
4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680950&view=rev

Example:
For a page that contains:
<%
pageContext.forward("/page2.jsp?somepar=someval&par="+request.getParameter("blah"));
%>
an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml

Credit:
This issue was discovered by Stefano Di Paola of Minded Security Research
Labs.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiTGGkACgkQb7IeiTPGAkNeQACdHk1KQ98Dx45Sc+Hslw/YIBH7
8b4An1WZ30LS34Pxx4Rc+VzqhswLLbZd
=Zbvc
-----END PGP SIGNATURE-----

Prev by Date: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability
Next by Date: libxslt heap overflow
Previous by thread: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability
Next by thread: libxslt heap overflow
Index(es):
- Date
- Thread

Relevant Pages

[SECURITY] UPDATED CVE-2008-5515 RequestDispatcher directory traversal vulnerability
... Updated to add additional patches required for 5.5.x and 4.1.x ... Apache Tomcat information disclosure vulnerability ... When using a RequestDispatcher obtained from the Request, ...
(Bugtraq)
[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability
... Apache Tomcat information disclosure vulnerability ... When using a RequestDispatcher obtained from the Request, ... 5.5.x users should upgrade to 5.5.28 when released or apply this patch: ...
(Bugtraq)
CVE-2008-0002: Tomcat information disclosure vulnerability
... CVE-2008-0002: Tomcat information disclosure vulnerability ... The Apache Software Foundation ... that request will be incorrectly processed as part of a following request. ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
(Bugtraq)
Re: Tomcat 3.2.4 problem after response.sendRedirect(...)
... > I am currently struggling with a Tomcat issue. ... When I send a redirect within the service method of my controller ... coming in before the thread in which the original request was processed ... you're not trying to cache request objects or the ...
(comp.lang.java.programmer)
Re: how does an application server works?
... i assume that tomcat5.exe takes this request and start processing. ... I think the first thing you need to ask is which applications are installed on that Tomcat instance, and what do their config files say they will do? ... Yes I'm being lazy, but that should get you started... ... So I guess one of the first things it does is look for a default page, which might be a JSP, and then compile that before serving it up. ...
(comp.lang.java.programmer)