Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
From: Christopher Schultz <chris () christopherschultz net>
Date: Thu, 04 Jun 2009 12:48:19 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 6/3/2009 11:42 AM, Mark Thomas wrote:
CVE-2009-0580: Tomcat information disclosure vulnerability

I know I'm likely to get a vague response, but could you provide some
more info about this issue?

Due to insufficient error checking in some authentication classes,
Tomcat allows for the enumeration (brute force testing) of usernames by
supplying illegally URL encoded passwords.

[snip]

j_username=tomcat&j_password=%

I'm not sure how the patch (I read the patch for TC5.5
DataSourceRealm.java) changes anything at all: it appears to be merely a
performance optimization.

No changes are made to the behavior of Tomcat, since the same null is
returned to the caller if the credentials do not match.

I don't see any information disclosure vulnerability in the first place,
and I don't see how your patch would have fixed it.

??!

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty
MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk
=iKFX
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]