SEC Consult Security Advisory < 20070314-0 >
=======================================================================
               title: Apache HTTP Server / Tomcat directory traversal
             program: Apache HTTP Server / Apache Tomcat
  vulnerable version: Apache Tomcat 5.x:  < 5.5.22
                      Apache Tomcat 6.x:  < 6.0.10
                 CVE: CVE-2007-0450
              impact: high
            homepage: http://httpd.apache.org/
                      http://tomcat.apache.org/
               found: 2006-11-27
                  by: D. Matscheko / SEC-CONSULT / www.sec-consult.com
=======================================================================

Vendor description:
---------------

The Apache HTTP Server Project is an effort to develop and maintain
an open-source HTTP server for modern operating systems including
UNIX and Windows NT. The goal of this project is to provide a
secure, efficient and extensible server that provides HTTP services
in sync with the current HTTP standards.

[Source: http://httpd.apache.org/]

Apache Tomcat is the servlet container that is used in the official
Reference Implementation for the Java Servlet and JavaServer Pages
technologies. The Java Servlet and JavaServer Pages specifications
are developed by Sun under the Java Community Process.

[Source: http://tomcat.apache.org/]


Vulnerability overview:
---------------

If the Apache HTTP Server and Tomcat are configured to interoperate
with the common proxy modules (mod_proxy, mod_rewrite, mod_jk), an
attacker might be able to break out of the intended destination
path up to the webroot in Tomcat.


Vulnerability description:
---------------

 * The only character found to be accepted as directory separator
   from Apache is "/" (slash).
 * On the other hand Tomcat allows characters including URI encoded
   characters like "/" (slash), "\" (backslash) or "%5C" (backslash
   URI encoded).

This allowing an attacker to utilize directory traversing attack
methods.

Depending on the configuration HTTP requests, including strings like
"/\../" allow attackers to break out of the given context- and
directory structures.


Example / proof of concept:
---------------

As an example an URL like

"http://www.example.com/foo/\../manager/html"

would point to the Tomcat Manager Application. If the password for
the Tomcat Manager can be guessed, it is possible to deploy new
applications like e.g. a remote command shell.

Note: Using this method, the Tomcat Manager and also other web
applications can be accessed over port 80, even if they are not
proxied by the Apache HTTP Server. Port 8080 (the Tomcat HTTP port)
and 8009 (the Tomcat AJP port) can be and are assumed to be blocked
by a firewall.


Vulnerable versions:
---------------

Apache Tomcat < 5.5.22
Apache Tomcat < 6.0.10


Vendor status:
---------------

vendor notified: 2007-02-08
vendor response: 2007-02-08
patch available: 2007-02-28
disclosure: 2007-03-14


http://www.sec-consult.com/286.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to http://www.sec-consult.com/236.html

EOF David Matscheko / @2007