Full Disclosure mailing list archives
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
From: Christopher Schultz <chris () christopherschultz net>
Date: Thu, 04 Jun 2009 12:48:19 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark, On 6/3/2009 11:42 AM, Mark Thomas wrote:
CVE-2009-0580: Tomcat information disclosure vulnerability
I know I'm likely to get a vague response, but could you provide some more info about this issue?
Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords.
[snip]
j_username=tomcat&j_password=%
I'm not sure how the patch (I read the patch for TC5.5 DataSourceRealm.java) changes anything at all: it appears to be merely a performance optimization. No changes are made to the behavior of Tomcat, since the same null is returned to the caller if the credentials do not match. I don't see any information disclosure vulnerability in the first place, and I don't see how your patch would have fixed it. ??! - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk =iKFX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication Christopher Schultz (Jun 04)