[SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Updated

2008-09-10T00:00:00
ID SECURITYVULNS:DOC:20499
Type securityvulns
Reporter Securityvulns
Modified 2008-09-10T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated

Severity: Important (was moderate)

Vendor: The Apache Software Foundation

Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description (new information): Further investigation of CVE-2008-2938 has shown that the vulnerability also exists only with URIEncoding="UTF-8" set on the connector. In these configurations arbitrary files in the docBase for an application, including files such as web.xml, may be disclosed. Users should also be aware that this vulnerability will apply when processing requests with UTF-8 body encoding and useBodyEncodingForURI="true"

Mitigation: 6.0.x users should upgrade to 6.0.18 5.5.x users should upgrade to 5.5.27 4.1.x users should obtain the latest source from svn or apply this patch: http://svn.apache.org/viewvc?view=rev&revision=681065

Example: http://www.target.com/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml

Credit: This additional information was discovered by the Apache Tomcat security team.

References: http://tomcat.apache.org/security.html

Mark Thomas

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjHnCMACgkQb7IeiTPGAkMoLQCg2PxS09CpZGI9t+QcdifSfMh8 CHcAoOSRAPOzAFH5hx1w8jxOBthrAKEJ =Fi0E -----END PGP SIGNATURE-----