Apache Tomcat User enumeration vulnerability with FORM authentication

2009.06.09
Credit: Mark Thomas
Risk: Low
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2009-0580: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.39 Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected. Description: Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. The attack is possible if form based authenticiaton (j_security_check) with one of the following authentication realms is used: * MemoryRealm * DataSourceRealm * JDBCRealm Mitigation: 6.0.x users should do one of the following: - upgrade to 6.0.20 - apply this patch http://svn.apache.org/viewvc?rev=747840&view=rev 5.5.x users should do one of the following: - upgrade to 5.5.28 when released - apply this patch http://svn.apache.org/viewvc?rev=781379&view=rev 4.1.x users should do one of the following: - upgrade to 4.1.40 when released - apply this patch http://svn.apache.org/viewvc?rev=781382&view=rev Example: The following POST request should trigger an error (500 server error or empty response, depending on the configuration) if the ROOT web application is configured to use FORM authentication: POST /j_security_check HTTP/1.1 Host: localhost j_username=tomcat&j_password=% Credit: This issue was discovered by D. Matscheko and T. Hackner of SEC Consult. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkommckACgkQb7IeiTPGAkP75ACg7XYuld/25X2ltLLTeeQx88UB pFgAn1f6mIpzU7QUnjF4lsHcR+6lY67B =a0AC -----END PGP SIGNATURE-----

References:

http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
http://svn.apache.org/viewvc?rev=781382&view=rev
http://svn.apache.org/viewvc?rev=781379&view=rev
http://svn.apache.org/viewvc?rev=747840&view=rev


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top