mailing list archives
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
From: Christopher Schultz <chris () christopherschultz net>
Date: Thu, 04 Jun 2009 12:48:19 -0400
-----BEGIN PGP SIGNED MESSAGE-----
On 6/3/2009 11:42 AM, Mark Thomas wrote:
CVE-2009-0580: Tomcat information disclosure vulnerability
I know I'm likely to get a vague response, but could you provide some
more info about this issue?
Due to insufficient error checking in some authentication classes,
Tomcat allows for the enumeration (brute force testing) of usernames by
supplying illegally URL encoded passwords.
I'm not sure how the patch (I read the patch for TC5.5
DataSourceRealm.java) changes anything at all: it appears to be merely a
No changes are made to the behavior of Tomcat, since the same null is
returned to the caller if the credentials do not match.
I don't see any information disclosure vulnerability in the first place,
and I don't see how your patch would have fixed it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----