SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Tomcat Vendors:   Apache Software Foundation
Tomcat UTF-8 'AllowLinking' Java Bug Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1020665
SecurityTracker URL:  http://securitytracker.com/id/1020665
CVE Reference:   CVE-2008-2938   (Links to External Site)
Date:  Aug 12 2008
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.0.0 - 6.0.16
Description:   A vulnerability was reported in Tomcat. A remote user can view files on the target system.

A remote user can supply a specially crafted request to view files on target system that are located outside of the document directory.

If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8", the system may be vulnerable.

A demonstration exploit URL is provided:

http://[target]/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar


Impact:   A remote user can view files on the target system.
Solution:   The vendor has issued a fixed version (6.0.18).

The vendor's advisory is available at:

http://tomcat.apache.org/security-6.html
Vendor URL:  tomcat.apache.org/security.html (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 27 2008 (Red Hat Issues Fix) Tomcat UTF-8 'AllowLinking' Java Bug Lets Remote Users Traverse the Directory   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Sep 22 2008 (Red Hat Issues Fix for JBoss) Tomcat UTF-8 'AllowLinking' Java Bug Lets Remote Users Traverse the Directory   (bugzilla@redhat.com)
Red Hat has released a fix for JBoss Enterprise Application Platform for Red Hat Enterprise Linux 4 and 5.
Oct 3 2008 (Red Hat Issues Fix) Tomcat UTF-8 'AllowLinking' Java Bug Lets Remote Users Traverse the Directory   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Developer Suite.
Oct 3 2008 (Red Hat Issues Fix) Tomcat UTF-8 'AllowLinking' Java Bug Lets Remote Users Traverse the Directory   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Application Server.
Dec 8 2008 (Red Hat Issues Fix) Tomcat UTF-8 'AllowLinking' Java Bug Lets Remote Users Traverse the Directory   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Network Satellite Server.
Oct 18 2010 (Fujitsu Issues Fix for Interstage) Tomcat UTF-8 'AllowLinking' Java Bug Lets Remote Users Traverse the Directory
Fujitsu has issued a fix for Interstage Application Server.


 Source Message Contents
Date:  11 Aug 2008 08:52:44 -0000
Subject:  Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability

Title: Apache Tomcat Directory Traversal Vulnerability
Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)
Severity: High
Impact: Remote File Disclosure
Vulnerable Version: prior to 6.0.18
Solution:
 - Best Choice: Upgrade to 6.0.18 (http://tomcat.apache.org)
 - Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability.
 - Tomcat 5.5.x and 4.1.x Users: The fix will be included in the next releases. Please apply the hot fix until next release.
References:
 - http://tomcat.apache.org/security.html
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
History:
 - 07.17.2008: Initiate notify (To Apache Security Team)
 - 08.02.2008: Responsed this problem fixed and released new version
 - 08.05.2008: Notify disclosure (To Apache Tomcat Security Team)
 - 08.10.2008: Responsed with some suggestions.

Description
As Apache Security Team, this problem occurs because of JAVA side.
If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as
'UTF-8', an attacker can obtain your important system files.(e.g.  /etc/passwd)

Exploit
If your webroot directory has three depth(e.g /usr/local/wwwroot), An
attacker can access arbitrary files as below. (Proof-of-concept)

http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC