lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A28FDAD.50305@apache.org>
Date: Fri, 05 Jun 2009 12:12:45 +0100
From: Mark Thomas <markt@...che.org>
To: announce@...cat.apache.org,
	Tomcat Users List <users@...cat.apache.org>,
	Tomcat Developers List <dev@...cat.apache.org>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2009-0580 UPDATED Apache Tomcat User enumeration vulnerability
 with FORM authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Updated to clarify affected versions as they vary for each affected Realm.

CVE-2009-0580: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
MemoryRealm:
 Tomcat 4.1.0 to 4.1.39
 Tomcat 5.5.0 to 5.5.27
 Tomcat 6.0.0 to 6.0.18
DataSourceRealm:
 Tomcat 4.1.17 to 4.1.31
 Tomcat 5.5.0  to 5.5.5
JDBCRealm:
 Tomcat 4.1.0 to 4.1.31
 Tomcat 5.5.0 to 5.5.5

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
Due to insufficient error checking in some authentication classes,
Tomcat allows for the enumeration (brute force testing) of usernames by
supplying illegally URL encoded passwords. The attack is possible if
form based authenticiaton (j_security_check) with one of the following
authentication realms is used:
 * MemoryRealm
 * DataSourceRealm
 * JDBCRealm

Mitigation:
6.0.x users should do one of the following:
 - upgrade to 6.0.20
 - apply this patch http://svn.apache.org/viewvc?rev=747840&view=rev
5.5.x users should do one of the following:
 - upgrade to 5.5.28 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781379&view=rev
4.1.x users should do one of the following:
 - upgrade to 4.1.40 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781382&view=rev

Example:
The following POST request should trigger an error (500 server error or
empty response, depending on the configuration) if the ROOT web
application is configured to use FORM authentication:

POST /j_security_check HTTP/1.1
Host: localhost

j_username=tomcat&j_password=%

Credit:
This issue was discovered by D. Matscheko and T. Hackner of SEC Consult.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoo/a0ACgkQb7IeiTPGAkOwBgCgg32bOh5/3FWwmg+qnazFuJLy
UGAAnjGl3psau6THn7UDBjpHfSG8LZ4a
=SIJ6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ