lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Nov 3 07:05:22 2005 From: david.maciejak at kyxar.fr (David Maciejak) Subject: Apache Tomcat 5.5.x remote Denial Of Service Apache Tomcat is the famous servlet container for Java Servlet and JSP technologies released under ASL. Version 5.5.x is intented for servlet/jsp specification 2.4/2.0. More information on http://tomcat.apache.org/ Description: Many time consuming directory listing requests can cause a denial of service. Detection/PoC: Vulnerable version tested are 5.5.0 to 5.5.11. 5.5.12 and 5.0.28 seems not to be impacted. A easy way to test : -Download Tomcat package from Tomcat archive -Unpack it, use default configuration -In webapps example dir, add some empty files (enough for the dir listing request to be long) -Thread many listing access on this directory Workaround: Upgrade to version 5.5.12 David Maciejak -------------------------------------------------------------------------------- KYXAR.FR - Mail envoy? depuis http://webmail.kyxar.fr
Powered by blists - more mailing lists