Apache Tomcat Information Disclosure

2009-06-09T00:00:00
ID PACKETSTORM:78169
Type packetstorm
Reporter Mark Thomas
Modified 2009-06-09T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
CVE-2008-5515: Apache Tomcat information disclosure vulnerability  
  
Severity: Important  
  
Vendor:  
The Apache Software Foundation  
  
Versions Affected:  
Tomcat 4.1.0 to 4.1.39  
Tomcat 5.5.0 to 5.5.27  
Tomcat 6.0.0 to 6.0.18  
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected  
  
Description:  
When using a RequestDispatcher obtained from the Request, the target  
path was normalised before the query string was removed. A request that  
included a specially crafted request parameter could be used to access  
content that would otherwise be protected by a security constraint or by  
locating it in under the WEB-INF directory.  
  
Mitigation:  
6.0.x users should upgrade to 6.0.20 or apply this patch:  
http://svn.apache.org/viewvc?view=rev&revision=734734  
5.5.x users should upgrade to 5.5.28 when released or apply this patch:  
http://svn.apache.org/viewvc?view=rev&revision=782757  
4.1.x users should upgrade to 4.1.40 when released or apply this patch:  
http://svn.apache.org/viewvc?view=rev&revision=782763  
  
Example:  
For a page that contains:  
<%  
request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" +  
request.getParameter( "blah" ) ).forward( request, response );  
%>  
  
an attacker can use:  
http://host/page.jsp?blah=/../WEB-INF/web.xml  
  
Credit:  
This issue was discovered by Iida Minehiko, Fujitsu Limited  
  
References:  
http://tomcat.apache.org/security.html  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iEYEARECAAYFAkotiBQACgkQb7IeiTPGAkMi6QCgnlzEt/7byUJo2YXGHMLj2ckH  
rF8AoK8dmpZcxd5pV9VvEaPqm4xhXJPO  
=bDV5  
-----END PGP SIGNATURE-----  
`