lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4BCF7A39.80800@apache.org>
Date: Wed, 21 Apr 2010 23:20:41 +0100
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>,
	Tomcat Developers List <dev@...cat.apache.org>, annouce@...che.org,
	announce@...cat.apache.org, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2010-1157: Apache Tomcat information disclosure vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2010-1157: Apache Tomcat information disclosure vulnerability

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 6.0.0 to 6.0.26
- - Tomcat 5.5.0 to 5.5.29
Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be
affected.

Description:
The "WWW-Authenticate" header for BASIC and DIGEST authentication
includes a realm name. If a <realm-name> element is specified for the
application in web.xml it will be used. However, a <realm-name> is not
specified then Tomcat will generate one using the code snippet:
request.getServerName() + ":" + request.getServerPort()
In some circumstances this can expose the local hostname or IP address
of the machine running Tomcat.

Example:
GET /application/j_security_check HTTP/1.0


HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="tomcat01:8080"
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Thu, 31 Dec 2009 12:18:11 GMT
Connection: close

Mitigation:
Administrators of web applications that use BASIC or DIGEST
authentication are recommended to set an appropriate realm name in the
web application's web.xml file.
Alternatively, the following patches may be used to change the default
realm to "Authentication required" (without the quotes):
- - Tomcat 6.0.x: http://svn.apache.org/viewvc?view=rev&rev=936540
- - Tomcat 5.5.x: http://svn.apache.org/viewvc?view=rev&rev=936541
These patches will be included in the next releases of Tomcat 5.5.x and
Tomcat 6.0.x. No release date has been set for the next Tomcat 5.5.x and
Tomcat 6.0.x releases.

Credit:
This issue was discovered by Deniz Cevik.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

The Apache Tomcat Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLz3o5AAoJEBDAHFovYFnn7NgP/jyjnqK98FfruhzL0eB/b748
7EYP8k//kbmq8SIYyDkHkmlGfDNE+epxLudgSLbwg8QJdNG50JHwjTzAcclPCyu6
jx3NuJVKxn8KloD3rmxhrIItLG/yQ50JP3tnNO3xC4pS4j8dzdrTS2lFPXxcna6e
o9rMUwPLTEsLvNhd93sUIpdXuLhG9TP7dOeAD737ybvmRcz612igGyyT3hVUeGsK
TvJ+uzZTLJi+Wz0UMRdseqsgp1OW2DeMyao67bPaUrbX9EfLA+yUfXV6TRByT4C5
S5BB3mTz8WBgWkscCmKB0mqmtiPfv7PxlRDfMyPAkFhezPAnL5UD4fSZ3Aes8rTO
IF6CM/lWXm+eMECVwuIh7RdiPJtpe/1ZTQ2EtAQ/JZOIoDX2sKNF92opGeNiZPp9
P78tfksI23tLNJeDcJmL1a2L1yP8pcvAnd6AhYwZPc+LoZBKOsqEMMDU9CmbT3LY
2Fyn8h5yV9Fql9TR9J87aB9BDcQ5vqtdJ17qO20ur54SockI/oNi45tpDf76sJQB
0iOVY1MDu9J4c3xvtmWrdsAZF8VFDhW8nXdKOATh2cVQg/P4aELW2eyGUbiL5hLZ
EWgiZRQWm815MqEwikbztMON4OipensBx1wNuKvj2VKs3VK8tkSuXigViOCTYo+c
mm73gFAt6VWTF5sbfTuA
=mtgX
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ