[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <46C12155.5060405@apache.org>
Date: Mon, 13 Aug 2007 23:28:21 -0400
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>,
Tomcat Developers List <dev@...cat.apache.org>,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Cc: "CERT(R) Coordination Center" <cert@...t.org>
Subject: CVE-2007-3382: Handling of cookies containing a ' character
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2007-3382: Handling of cookies containing a ' character
Severity:
Low (Session Hi-jacking)
Vendor:
The Apache Software Foundation
Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24
5.0.0 to 5.0.30
4.1.0 to 4.1.36
3.3 to 3.3.2
Description:
Tomcat incorrectly treats a single quote character (') in a cookie
value as a delimiter. In some circumstances this can lead to the
leaking of information such as session ID to an attacker.
Mitigation:
Upgrade to 6.0.14
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
http://localost:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKER&cookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGwSFVb7IeiTPGAkMRAjkwAKDnu+C08WRZazmZfzunFeHcitsvnACg3CtP
6c6FCxbFOcfxhqqayg8kdUI=
=MkDj
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists