Nmap Development mailing list archives
Re: [NSE] http-vuln-cve2009-0580
From: David Fifield <david () bamsoftware com>
Date: Tue, 1 May 2012 09:41:44 -0700
On Fri, Mar 23, 2012 at 10:06:53AM -0400, Patrik Karlsson wrote:
On Mon, Mar 19, 2012 at 12:15 PM, M. Hani Benhailes <kroosec () gmail com>wrote:Hi list, description = [[ Tries to exploit cve-2009-0580 also known as Apache Tomcat user enumeration with FORM authentication. This vulnerability permits to enumerate (brute force) valid Apache tomcat server users via requests to /j_security_check with malformed URL encoding of passwords. It is present in versions 6.0.0 to 6.0.18, 5.5.0 to 5.5.27 and 4.1.0 to 4.1.39 For more information, see: * https://cve.mitre.org/cgi-bin/**cvename.cgi?name=2009-0580<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0580> * http://www.osvdb.org/55055 * http://www.securityfocus.com/**bid/35196<http://www.securityfocus.com/bid/35196> ]] --@output -- PORT STATE SERVICE -- 80/tcp open http --| http-vuln-cve2009-0580: --| VULNERABLE: --| Apache Tomcat user enumeration with FORM authentication --| State: VULNERABLE (Exploitable) --| IDs: CVE:CVE-2009-0580 --| Risk factor: Low CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) --| Description: --| Permits to enumerate Apache Tomcat users remotely and is present in --| Apache Tomcat 6.0.0 to 6.0.18, 5.5.0 to 5.5.27 and 4.1.0 to 4.1.39 --| Disclosure date: 2009-06-14 --| Exploit results: --| admin --| tomcat --| References: --| http://cve.mitre.org/cgi-bin/**cvename.cgi?name=CVE-2009-0580<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580> --|_ http://www.osvdb.org/55055Hi Hani, I've been trying to test this script against a vulnerable version configured to use form based authentication but can't get it to work. What happens is that it reports all accounts as valid ones, even though they're not. I'm seeing a 200 OK and a cookie being set in all responses. Could you share the configuration your using so that I can test the script? Also, I'm guessing the script needs some additional check to make sure it's not hitting an error page returning a 200 OK as this would also report all accounts as valid. One way of doing this is to check one or two random username and make sure that they're not detected as valid.
What has happened with this script? Did you guys find out why it wasn't working for Patrik? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-vuln-cve2009-0580 David Fifield (May 01)