tomcat <6.0.18: Directory Traversal (CVE-2008-2938)
Bug #256802 reported by
Emanuele Gentili
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tomcat5.5 (Debian) |
Fix Released
|
Unknown
|
|||
tomcat5.5 (Ubuntu) |
Fix Released
|
Low
|
Thierry Carrez | ||
Hardy |
Fix Released
|
Low
|
Thierry Carrez | ||
tomcat6 (Gentoo Linux) |
Invalid
|
Critical
|
|||
tomcat6 (Ubuntu) |
Fix Released
|
Undecided
|
Thierry Carrez | ||
Hardy |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Severity: High
Impact: Remote File Disclosure
Vulnerable Version: prior to 6.0.18
As Apache Security Team, this problem occurs because of JAVA side.
If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as
'UTF-8', an attacker can obtain your important system files.(e.g. /etc/passwd)
Reproducible: Always
Steps to Reproduce:
Exploit
If your webroot directory has three depth(e.g /usr/local/
attacker can access arbitrary files as below. (Proof-of-concept)
http://
References:
- http://
- http://
Changed in tomcat6: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in tomcat5.5: | |
status: | New → Confirmed |
Changed in tomcat6: | |
importance: | High → Undecided |
Changed in tomcat6: | |
status: | Unknown → Confirmed |
Changed in tomcat6: | |
status: | Confirmed → Invalid |
Changed in tomcat6: | |
assignee: | nobody → tcarrez |
status: | Confirmed → In Progress |
Changed in tomcat5.5: | |
assignee: | nobody → tcarrez |
status: | Confirmed → In Progress |
Changed in tomcat5.5: | |
status: | Unknown → New |
Changed in tomcat6: | |
status: | New → Invalid |
Changed in tomcat5.5: | |
assignee: | nobody → tcarrez |
importance: | Undecided → Low |
status: | New → In Progress |
Changed in tomcat5.5: | |
status: | In Progress → Fix Released |
Changed in tomcat5.5: | |
status: | New → Fix Released |
Changed in tomcat6 (Gentoo Linux): | |
status: | Invalid → Unknown |
Changed in tomcat6 (Gentoo Linux): | |
importance: | Unknown → Critical |
Changed in tomcat6 (Gentoo Linux): | |
status: | Unknown → Invalid |
To post a comment you must log in.
This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu1
---------------
tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low
* New upstream version (LP: #260016) common- licenses/ Apache- 2.0 jre-headless | java6-runtime- headless
- Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
- Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
- Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
* Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
* control: Improve short descriptions for the binary packages
* copyright: Added link to /usr/share/
* control: To pull the right JRE, libtomcat6-java now depends on
default-
-- Thierry Carrez <email address hidden> Fri, 22 Aug 2008 09:15:11 +0200