Nmap Development mailing list archives
Re: [NSE] http-vuln-cve2009-0580
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 23 Mar 2012 10:06:53 -0400
On Mon, Mar 19, 2012 at 12:15 PM, M. Hani Benhailes <kroosec () gmail com>wrote:
Hi list, description = [[ Tries to exploit cve-2009-0580 also known as Apache Tomcat user enumeration with FORM authentication. This vulnerability permits to enumerate (brute force) valid Apache tomcat server users via requests to /j_security_check with malformed URL encoding of passwords. It is present in versions 6.0.0 to 6.0.18, 5.5.0 to 5.5.27 and 4.1.0 to 4.1.39 For more information, see: * https://cve.mitre.org/cgi-bin/**cvename.cgi?name=2009-0580<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0580> * http://www.osvdb.org/55055 * http://www.securityfocus.com/**bid/35196<http://www.securityfocus.com/bid/35196> ]] --@output -- PORT STATE SERVICE -- 80/tcp open http --| http-vuln-cve2009-0580: --| VULNERABLE: --| Apache Tomcat user enumeration with FORM authentication --| State: VULNERABLE (Exploitable) --| IDs: CVE:CVE-2009-0580 --| Risk factor: Low CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) --| Description: --| Permits to enumerate Apache Tomcat users remotely and is present in --| Apache Tomcat 6.0.0 to 6.0.18, 5.5.0 to 5.5.27 and 4.1.0 to 4.1.39 --| Disclosure date: 2009-06-14 --| Exploit results: --| admin --| tomcat --| References: --| http://cve.mitre.org/cgi-bin/**cvename.cgi?name=CVE-2009-0580<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580> --|_ http://www.osvdb.org/55055 Cheers, Hani. -- M. Hani Benhabiles OWASP Algeria Student Chapter: Founder/President. http://www.owaspalgeriasc.org https://www.owasp.org/index.**php/Algeria_Student_Chapter<https://www.owasp.org/index.php/Algeria_Student_Chapter> Email: hani.benhabiles () owasp org Twitter: https://twitter.com/#!/kroosec Blog: http://kroosec.blogspot.com _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi Hani, I've been trying to test this script against a vulnerable version configured to use form based authentication but can't get it to work. What happens is that it reports all accounts as valid ones, even though they're not. I'm seeing a 200 OK and a cookie being set in all responses. Could you share the configuration your using so that I can test the script? Also, I'm guessing the script needs some additional check to make sure it's not hitting an error page returning a 200 OK as this would also report all accounts as valid. One way of doing this is to check one or two random username and make sure that they're not detected as valid. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-vuln-cve2009-0580 M. Hani Benhailes (Mar 19)
- Re: [NSE] http-vuln-cve2009-0580 Patrik Karlsson (Mar 23)