Bug: Apache Tomcat Information disclosure (WLB-2009060118 Ascii Version)

English Version
WLB2

CVE WLB2

WLB2
Full List
Bugs
Bogus
Tricks
Exploits
CVE MAP
Full List
Vendors
Products
Tools
CWE Dictionary
Google Hacking
Search
General
CVE
CWE
RSS
Full List
Bugs
Exploits
Dorks
Information
Our services
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsecurity.com

When contacting via email, we recommend coded messages.

Get our PGP public key

 Topic: Apache Tomcat Information disclosure
 Credit: Mark Thomas
 Date: 2009.06.09
 CWE: CWE-200 (Show similar)
 CVE: CVE-2009-0783 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Risk
Local
Remote
Low
Yes
No

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-0783: Apache Tomcat information disclosure vulnerability

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 6.0.0 to 6.0.18
Tomcat 5.5.0 to 5.5.27
Tomcat 4.1.0 to 4.1.39

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
Bugs https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 and
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 allowed a web
application to replace the XML parser used by Tomcat to process web.xml,
context.xml and tld files. If a web application is the first web
application loaded, these bugs allow that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.

Mitigation:
6.0.x users should do one of the following:
- upgrade to 6.0.20
- apply these patches
- http://svn.apache.org/viewvc?rev=739522&view=rev
- http://svn.apache.org/viewvc?rev=652592&view=rev
5.5.x users should do one of the following:
- upgrade to 5.5.28 when released
- apply these patches
- http://svn.apache.org/viewvc?rev=781542&view=rev
- http://svn.apache.org/viewvc?rev=681156&view=rev
4.1.x users should do one of the following:
- upgrade to 4.1.40 when released
- apply this patch http://svn.apache.org/viewvc?rev=781708&view=rev

Example:
See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an
example web application that can be used to replace the XML parser used
by Tomcat.

Credit:
The security implications of these bugs was discovered and reported to
the Apache Software Foundation by Philippe Prados.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html

The Apache Tomcat Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkonw6EACgkQb7IeiTPGAkM8qACgyxH+hBK4r4DprZhIqd97x/V1
/7EAnRMaJsKIoPzBQgOtOhM3vOCtyL+F
=B+Gu
-----END PGP SIGNATURE-----

References:

https://issues.apache.org/bugzilla/show_bug.cgi?id=29936
http://www.securityfocus.com/archive/1/archive/1/504090/100/0/threaded
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
http://svn.apache.org/viewvc?rev=781708&view=rev
http://svn.apache.org/viewvc?rev=781542&view=rev
http://svn.apache.org/viewvc?rev=739522&view=rev
http://svn.apache.org/viewvc?rev=681156&view=rev
http://svn.apache.org/viewvc?rev=652592&view=rev
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933

[ ASCII VERSION ]
Copyright 2012, cxsecurity.com