apache tomcat cookie handling problem - characters out of 0x80 - 0xff causing internal server error

Type securityvulns
Reporter Securityvulns
Modified 2014-09-15T00:00:00


  • Title: Client-based DoS for Apache Tomcat on sending cookie with value out of 0x80 - 0xff scope.
  • Author: Elar Lang @elarlang https://www.linkedin.com/in/elarlang
  • Date: 02. January 2014 / 05. September 2014
  • Vendor: Apache
  • Product: Tomcat
  • Affected versions (at least): 7.0.26 7.0.39 7.0.40
  • Timeline:

1 02. January 2014 - [me > vendor] information sent to


if HTTP request to Apache Tomcat server contains some cookie and cookie value contains character with ascii code larger than 128 result is Error 500 - Internal Server Error.

It's good attack vector for attackers, because one XSS hole is enough to write one cookie with value ¤ (for example), and for that browser this site is not accessible anymore.

Versions affected (tested): 7.0.26 7.0.39 7.0.40

2 08. January 2014 - [vendor > me] response from Apache. Basically,

it's not their bug. Included the following line.

The Tomcat developers do not view the scenario you describe as a Tomcat vulnerability since the vulnerability is the initial XSS and without that this behaviour cannot be exploited by an attacker.

3 10. June 2014 - [me > vendor] information and explanation, that one

XSS in SOP (Same-Origin-Policy) scope is enough to "turn off" one client. I also asked, how to prevent against that problem.

4 11. June 2014 - [vendor > me] Response from Apache. "From a

security perspective there is nothing to add to our previous response."

For details of the changes (planned and implemented) to Tomcat's cookie parsing that may well mitigate the DoS see the dev@ list.

5 04. September 2014 - [me > vendor] information resent and asked how

the impact is different from http://www.securityfocus.com/bid/67671/info

6 05. September 2014 - [vendor > me] Response from Apache. They said,

they have nothing to add to previous comments.

7 05. September 2014 - [me] publish.

  • URL: Vulnerable sites on Tomcat, for example (based on random sources "popular sites on Tomcat"): www.ebay.com www.walmart.com www.snapdeal.com www.zillow.com webstore.amazon.com www.chacha.com upware.comcast.com www.bizrate.com odnoklassniki.ru store.apple.com - ex: search functionality
  • Description of vulnerable software: Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process. [http://tomcat.apache.org/]

  • Vulnerability: Cookies what contains at least one symbol out of range 0x80 .. 0xff, causing Internal Server Error.

  • Preconditions: Possibility to send "Set-Cookie" command to victim (browser):

  • access to program code in some site in Same-Origin-Policy scope
  • one XSS vulnerability in some site in Same-Origin-Policy scope

If the victim browser has this kind of cookie, then request from victim's browser cause Internal Server Error a'ka this victim can not use current web page anymore (till it has the cookie)

  • PoC: Set-Cookie: tommy=ignoringcat¤;

XSS payload: document.cookie='tommy=cat¤';

Status: unknown