| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Feb 2016 11:23:17 +0000 From: Mark Thomas <markt@...che.org> To: "users@...cat.apache.org" <users@...cat.apache.org> Cc: "announce@...cat.apache.org" <announce@...cat.apache.org>, announce@...che.org, "dev@...cat.apache.org" <dev@...cat.apache.org>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: [SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2015-5345 Apache Tomcat Directory disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.66 - - Apache Tomcat 8.0.0.RC1 to 8.0.29 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was therefore possible for a user to determine if a directory existed or not, even if the user was not permitted to view the directory. The issue also occurred at the root of a web application in which case the presence of the web application was confirmed, even if a user did not have access. The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect could cause regressions to two new Context configuration options (mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled) were introduced. The initial default was false for both since this was more secure. However, due to regressions such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled was later changed to true since it was viewed that the regression was more serious than the security risk of associated with being able to determine if a web application was deployed at a given path. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.30 or later - - Upgrade to Apache Tomcat 7.0.67 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by Mark Koek of QCSec. References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [4] http://tomcat.apache.org/security-7.html [5] http://tomcat.apache.org/security-6.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8 kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e HnSzWGDdd63z0ixY0g2I =6UrH -----END PGP SIGNATURE-----
Powered by blists - more mailing lists