Apache Tomcat w/ Proxy Module Double Encoded Traversal Arbitrary File Access

2007-03-14T06:19:20
ID OSVDB:34769
Type osvdb
Reporter OSVDB
Modified 2007-03-14T06:19:20

Description

Vulnerability Description

Apache Tomcat when configured to use the Proxy module contains a flaw that may allow a remote attacker to gain access to privileged information. The issue is due to the server not properly sanitizing user requested URIs containing crafted sequences with combinations of the "/" (slash), "\" (backslash) and a URL-encoded backslash (%5C) characters. This may allow an attacker to use a URI with a crafted traversal sequence and access arbitrary files.

Short Description

Apache Tomcat when configured to use the Proxy module contains a flaw that may allow a remote attacker to gain access to privileged information. The issue is due to the server not properly sanitizing user requested URIs containing crafted sequences with combinations of the "/" (slash), "\" (backslash) and a URL-encoded backslash (%5C) characters. This may allow an attacker to use a URI with a crafted traversal sequence and access arbitrary files.

References:

Vendor URL: http://tomcat.apache.org/ Vendor Specific News/Changelog Entry: http://tomcat.apache.org/security-6.html Vendor Specific News/Changelog Entry: http://tomcat.apache.org/security-5.html Vendor Specific News/Changelog Entry: http://tomcat.apache.org/security-4.html Secunia Advisory ID:24732 Secunia Advisory ID:24737 Secunia Advisory ID:25280 Secunia Advisory ID:27037 Secunia Advisory ID:22588 Secunia Advisory ID:26235 Secunia Advisory ID:28365 Secunia Advisory ID:25106 RedHat RHSA: RHSA-2007:0327 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200705-03.xml Other Advisory URL: HPSBUX02262 SSRT071447: Other Advisory URL: http://lists.opensuse.org/opensuse-security-announce/2007-08/msg00003.html Other Advisory URL: http://www.sec-consult.com/287.html Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2007-Mar/0009.html Other Advisory URL: http://www.sec-consult.com/fileadmin/Advisories/20070314-0-apache_tomcat_directory_traversal.txt Other Advisory URL: http://docs.info.apple.com/article.html?artnum=306172 Mail List Post: http://lists.vmware.com/pipermail/security-announce/2008/000003.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0165.html Keyword: SA-20070314-0 ISS X-Force ID: 32988 FrSIRT Advisory: ADV-2007-0975 CVE-2007-0450 Bugtraq ID: 22960