tomcat <6.0.18: Directory Traversal (CVE-2008-2938)

Bug #256802 reported by Emanuele Gentili on 2008-08-11
256
Affects Status Importance Assigned to Milestone
tomcat5.5 (Debian)
Fix Released
Unknown
tomcat5.5 (Ubuntu)
Low
Thierry Carrez
Hardy
Low
Thierry Carrez
tomcat6 (Gentoo Linux)
Invalid
Critical
tomcat6 (Ubuntu)
Undecided
Thierry Carrez
Hardy
Undecided
Unassigned

Bug Description

Severity: High
Impact: Remote File Disclosure
Vulnerable Version: prior to 6.0.18

As Apache Security Team, this problem occurs because of JAVA side.
If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as
'UTF-8', an attacker can obtain your important system files.(e.g. /etc/passwd)

Reproducible: Always

Steps to Reproduce:
Exploit
If your webroot directory has three depth(e.g /usr/local/wwwroot), An
attacker can access arbitrary files as below. (Proof-of-concept)

http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar

References:
 - http://tomcat.apache.org/security.html
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938

Changed in tomcat6:
importance: Undecided → High
status: New → Confirmed
Changed in tomcat5.5:
status: New → Confirmed
Changed in tomcat6:
importance: High → Undecided
Changed in tomcat6:
status: Unknown → Confirmed
Changed in tomcat6:
status: Confirmed → Invalid
Thierry Carrez (ttx) on 2008-08-21
Changed in tomcat6:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu1

---------------
tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
  * control: To pull the right JRE, libtomcat6-java now depends on
    default-jre-headless | java6-runtime-headless

 -- Thierry Carrez <email address hidden> Fri, 22 Aug 2008 09:15:11 +0200

Changed in tomcat6:
status: In Progress → Fix Released
Thierry Carrez (ttx) wrote :

That would be the patch for the 5.5 line: http://svn.apache.org/viewvc?view=rev&revision=678137

Changed in tomcat5.5:
importance: Undecided → Low
Thierry Carrez (ttx) wrote :
Thierry Carrez (ttx) on 2008-09-09
Changed in tomcat5.5:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Changed in tomcat5.5:
status: Unknown → New
dfiguero (gargamel-) wrote :

Is there a patch for tomcat5.5 that fixes CVE-2008-1947?

Thierry Carrez (ttx) wrote :

CVE-2008-1947 is fixed in 5.5.26-3
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484643
Look at changes in HTMLHostManagerServlet.java in the diff.gz

Changed in tomcat6:
status: New → Invalid
Thierry Carrez (ttx) on 2008-09-15
Changed in tomcat5.5:
assignee: nobody → tcarrez
importance: Undecided → Low
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat5.5 - 5.5.26-3ubuntu1

---------------
tomcat5.5 (5.5.26-3ubuntu1) intrepid; urgency=low

  * Fix tomcat5.5 Java environment to match status of Java in intrepid:
    - control: Moved Java runtime deps to libtomcat5.5-java
    - control: Depends on default-jre-headless | java2-runtime-headless
    - tomcat5.5.init: Fix JVM list to match java2-runtime-headless
    - rules, control: Builds with default-jdk, libecj-java build-dep added
    - Fixes LP: #212521, LP: #179447
  * tomcat5.5.postinst: Removed superfluous /etc/tomcat5.5/tomcat5.5 linking
  * rules, tomcat5.5.init: implement TearDown spec
  * tomcat5.5.install: don't install catalina.policy (LP: #112626)
  * Fix CVE-2008-1232 cross-site scripting vulnerability (LP: #256926)
  * Fix CVE-2008-2370 information disclosure vulnerability (LP: #256922)
  * Fix CVE-2008-2938 directory traversal (LP: #256802)

 -- Thierry Carrez <email address hidden> Wed, 10 Sep 2008 12:00:09 +0200

Changed in tomcat5.5:
status: In Progress → Fix Released
Changed in tomcat5.5:
status: In Progress → Fix Released
Changed in tomcat5.5:
status: New → Fix Released
Changed in tomcat6 (Gentoo Linux):
status: Invalid → Unknown
Changed in tomcat6 (Gentoo Linux):
importance: Unknown → Critical
Changed in tomcat6 (Gentoo Linux):
status: Unknown → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.