exploit the possibilities

Apache Tomcat CSRF Prevention Filter Bypass

Apache Tomcat CSRF Prevention Filter Bypass
Posted Dec 5, 2012
Authored by Mark Thomas | Site tomcat.apache.org

The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. Tomcat versions 6.0.0 through 6.0.35 and 7.0.0 through 7.0.31 are affected.

tags | advisory
advisories | CVE-2012-4431
MD5 | 3b2c8c5c11b7071f89c169019d6bfe2f

Apache Tomcat CSRF Prevention Filter Bypass

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.31
- - Tomcat 6.0.0 to 6.0.35

Description:
The CSRF prevention filter could be bypassed if a request was made to a
protected resource without a session identifier present in the request.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.32 or later
- - Tomcat 6.0.x users should upgrade to 6.0.36 or later

Credit:
This issue was identified by The Tomcat security team

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQvlNvAAoJEBDAHFovYFnnY80QAMvP1gIpG00vfIdiFabpJX55
UEmkPuTSefxZ6NMvAL8GkuUe8CoC6KinCgOx+s8eGlEiHtWFoYvM/Ckg8E3a8SY6
MfD8GLo2av/LdULGSCBrbaL2wFbgixPTBpgR9YS4bdpTK5nVqBZyZOjOzptqRDnE
BQXDLLKa65/z7cF57l+XcLs1+JW3KJGRiGJzBNUrJK1x/AzfgRgk4jgvYdyDWdpI
zuXKgwBbunblPL4sZhZA2mhoswBIMIJIaHXOAD28Ddt9IIae0UFptY6LmExOkSsa
PtshA4EBlO8JTPPcfwtqA/bkHAWCzB1QshkYD57rLF3t1ouDQWI6j8l+q3AYIxzv
a0Ix4qzE2hekcjGSCUMZUqNgcaGSjsggaOEo5zauM01osPQxbfpH41eH5fIWlMKi
vrxRjYJwLyLdkj3bZFuP7Uq1GL4BLjeKDfqsL4aqcfdBPZea6C9rToEkB8EjD4vf
DVdrX4Ivg3ImMMnL+gkX4+5aLp+jpw23G9gZbX1DJn+648iv3yFoK5ysOWy1GAAO
x1Iq3pa49NigJ0ipjZvxc07THIoiK/t49/3fWzMR1Xm819oJC2/Qf512l/FpEltK
kQ0y8BC4+7ypUZyhtwE3jzLW1x2j4ZBK8l1nX0X92WepJ6piro/7o80qiyDMfqPC
hbmBu213eSXnV9kRHveI
=jich
-----END PGP SIGNATURE-----


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close