Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: bu-75.htm

Apache Tomcat User enumeration vulnerability with FORM authentication



CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-0580: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
Due to insufficient error checking in some authentication classes,
Tomcat allows for the enumeration (brute force testing) of usernames by
supplying illegally URL encoded passwords. The attack is possible if
form based authenticiaton (j_security_check) with one of the following
authentication realms is used:
 * MemoryRealm
 * DataSourceRealm
 * JDBCRealm

Mitigation:
6.0.x users should do one of the following:
 - upgrade to 6.0.20
- apply this patch http://svn.apache.org/viewvc?rev=747840&view=rev 
5.5.x users should do one of the following:
 - upgrade to 5.5.28 when released
- apply this patch http://svn.apache.org/viewvc?rev=781379&view=rev 
4.1.x users should do one of the following:
 - upgrade to 4.1.40 when released
- apply this patch http://svn.apache.org/viewvc?rev=781382&view=rev 

Example:
The following POST request should trigger an error (500 server error or
empty response, depending on the configuration) if the ROOT web
application is configured to use FORM authentication:

POST /j_security_check HTTP/1.1
Host: localhost

j_username=tomcat&j_password=%

Credit:
This issue was discovered by D. Matscheko and T. Hackner of SEC Consult.

References:
http://tomcat.apache.org/security.html 

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iEYEARECAAYFAkommckACgkQb7IeiTPGAkP75ACg7XYuld/25X2ltLLTeeQx88UB
pFgAn1f6mIpzU7QUnjF4lsHcR+6lY67B
=a0AC
-----END PGP SIGNATURE-----



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH