Apache Tomcat Directory Listing Saturation DoS

2005-11-03T11:42:45
ID OSVDB:20439
Type osvdb
Reporter David Maciejak(david.maciejak@kyxar.fr)
Modified 2005-11-03T11:42:45

Description

Vulnerability Description

Apache Tomcat contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker makes multiple concurrent requests for a directory listing that contain a large number of files. With a large number of requests, an attacker can cause the server to stop processing subsequent requests.

Technical Description

Successful exploitation requires that directory listing is enabled in a directory with a large number of files.

Solution Description

Upgrade to version 5.5.12 or higher, as it has been reported to partially fix this vulnerability by allowing operations to resume after a few minutes. It is also possible to correct the flaw by implementing the following workaround(s): -Disable directory listing for web directories that has a large number of files.

Short Description

Apache Tomcat contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker makes multiple concurrent requests for a directory listing that contain a large number of files. With a large number of requests, an attacker can cause the server to stop processing subsequent requests.

References:

Vendor URL: http://tomcat.apache.org/ Security Tracker: 1015147 Secunia Advisory ID:17416 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0089.html CVE-2005-3510 Bugtraq ID: 15325