lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 10 Sep 2008 11:06:27 +0100
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>,
	Tomcat Developers List <dev@...cat.apache.org>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability
 - Updated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated

Severity: Important (was moderate)

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description (new information):
Further investigation of CVE-2008-2938 has shown that the vulnerability
also exists only with URIEncoding="UTF-8" set on the connector. In these
configurations arbitrary files in the docBase for an application,
including files such as web.xml, may be disclosed.
Users should also be aware that this vulnerability will apply when
processing requests with UTF-8 body encoding and
useBodyEncodingForURI="true"

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should obtain the latest source from svn or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=681065

Example:
http://www.target.com/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml

Credit:
This additional information was discovered by the Apache Tomcat security
team.

References:
http://tomcat.apache.org/security.html

Mark Thomas


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjHnCMACgkQb7IeiTPGAkMoLQCg2PxS09CpZGI9t+QcdifSfMh8
CHcAoOSRAPOzAFH5hx1w8jxOBthrAKEJ
=Fi0E
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ