CVE-2007-3385: Handling of \" in cookies

2007-08-14T00:00:00
ID SECURITYVULNS:DOC:17780
Type securityvulns
Reporter Securityvulns
Modified 2007-08-14T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CVE-2007-3385: Handling of \" in cookies

Severity: Low (Session Hi-jacking)

Vendor: The Apache Software Foundation

Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 5.0.0 to 5.0.30 4.1.0 to 4.1.36 3.3 to 3.3.2

Description: Tomcat incorrectly handles the character sequence \" in a cookie value. In some circumstances this can lead to the leaking of information such as session ID to an attacker.

Mitigation: Upgrade to 6.0.14

Credit: This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing and Networking Center, who worked with the CERT/CC to report the vulnerability.

Example: http://localhost:8080/examples/servlets/servlet/CookieExample?cookiename=HAHA&cookievalue=%5C%22FOO%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2F%3B

References: http://tomcat.apache.org/security.html

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGwSFlb7IeiTPGAkMRArdPAJ99AXYzSterU7oG+u8UrtQAd2lTZwCbBK2R hwRixKaYOwWyj5kD+fLT1ls= =hgTP -----END PGP SIGNATURE-----