SA-20070314-0.txt

`SEC Consult Security Advisory < 20070314-0 >  
=======================================================================  
title: Apache HTTP Server / Tomcat directory traversal  
program: Apache HTTP Server / Apache Tomcat  
vulnerable version: Apache Tomcat 5.x: < 5.5.22  
Apache Tomcat 6.x: < 6.0.10  
CVE: CVE-2007-0450  
impact: high  
homepage: http://httpd.apache.org/  
http://tomcat.apache.org/  
found: 2006-11-27  
by: D. Matscheko / SEC-CONSULT / www.sec-consult.com  
=======================================================================  
  
Vendor description:  
---------------  
  
The Apache HTTP Server Project is an effort to develop and maintain  
an open-source HTTP server for modern operating systems including  
UNIX and Windows NT. The goal of this project is to provide a  
secure, efficient and extensible server that provides HTTP services  
in sync with the current HTTP standards.  
  
[Source: http://httpd.apache.org/]  
  
Apache Tomcat is the servlet container that is used in the official  
Reference Implementation for the Java Servlet and JavaServer Pages  
technologies. The Java Servlet and JavaServer Pages specifications  
are developed by Sun under the Java Community Process.  
  
[Source: http://tomcat.apache.org/]  
  
  
Vulnerability overview:  
---------------  
  
If the Apache HTTP Server and Tomcat are configured to interoperate  
with the common proxy modules (mod_proxy, mod_rewrite, mod_jk), an  
attacker might be able to break out of the intended destination  
path up to the webroot in Tomcat.  
  
  
Vulnerability description:  
---------------  
  
* The only character found to be accepted as directory separator  
from Apache is "/" (slash).  
* On the other hand Tomcat allows characters including URI encoded  
characters like "/" (slash), "\" (backslash) or "%5C" (backslash  
URI encoded).  
  
This allowing an attacker to utilize directory traversing attack  
methods.  
  
Depending on the configuration HTTP requests, including strings like  
"/\../" allow attackers to break out of the given context- and  
directory structures.  
  
  
Example / proof of concept:  
---------------  
  
As an example an URL like  
  
"http://www.example.com/foo/\../manager/html"  
  
would point to the Tomcat Manager Application. If the password for  
the Tomcat Manager can be guessed, it is possible to deploy new  
applications like e.g. a remote command shell.  
  
Note: Using this method, the Tomcat Manager and also other web  
applications can be accessed over port 80, even if they are not  
proxied by the Apache HTTP Server. Port 8080 (the Tomcat HTTP port)  
and 8009 (the Tomcat AJP port) can be and are assumed to be blocked  
by a firewall.  
  
  
Vulnerable versions:  
---------------  
  
Apache Tomcat < 5.5.22  
Apache Tomcat < 6.0.10  
  
  
Vendor status:  
---------------  
  
vendor notified: 2007-02-08  
vendor response: 2007-02-08  
patch available: 2007-02-28  
disclosure: 2007-03-14  
  
  
http://www.sec-consult.com/286.html  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Blindengasse 3  
A-1080 Wien  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
SEC Consult conducts periodical information security workshops on ISO  
27001/BS 7799 in cooperation with BSI Management Systems. For more  
information, please refer to http://www.sec-consult.com/236.html  
  
EOF David Matscheko / @2007  
`