Apache Tomcat Malformed Post Request Information Disclosure

2005-09-30T12:04:34
ID OSVDB:19821
Type osvdb
Reporter OSVDB
Modified 2005-09-30T12:04:34

Description

Vulnerability Description

Apache Tomcat contains a flaw that may allow an attacker to gain access to privileged information. The issue occurs when a client specifies a Content-Length but disconnects before sending the request body. This is handled by the deprecated AJP connector by processing the request using the request body of the previous request. This may cause the server to return sensitive information.

Solution Description

Upgrade to version 4.1.HEAD or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Apache Tomcat contains a flaw that may allow an attacker to gain access to privileged information. The issue occurs when a client specifies a Content-Length but disconnects before sending the request body. This is handled by the deprecated AJP connector by processing the request using the request body of the previous request. This may cause the server to return sensitive information.

References:

Vendor Specific News/Changelog Entry: http://tomcat.apache.org/security-4.html Secunia Advisory ID:17019 Other Advisory URL: http://www.hitachi-support.com/security_e/vuls_e/HS05-019_e/index-e.html Other Advisory URL: http://jvn.jp/jp/JVN%2379314822/index.html Keyword: HS05-019 CVE-2005-3164 Bugtraq ID: 15003