what you don't know can hurt you

SA-20070314-0.txt

SA-20070314-0.txt
Posted Mar 20, 2007
Authored by D. Matscheko | Site sec-consult.com

SEC Consult Security Advisory 20070314-0 - If the Apache HTTP Server and Tomcat are configured to interoperate with the common proxy modules (mod_proxy, mod_rewrite, mod_jk), an attacker might be able to break out of the intended destination path up to the webroot in Tomcat.

tags | exploit, web
advisories | CVE-2007-0450
MD5 | 5262c705a158558fe3884f0bbf91fb63

SA-20070314-0.txt

Change Mirror Download
SEC Consult Security Advisory < 20070314-0 >
=======================================================================
title: Apache HTTP Server / Tomcat directory traversal
program: Apache HTTP Server / Apache Tomcat
vulnerable version: Apache Tomcat 5.x: < 5.5.22
Apache Tomcat 6.x: < 6.0.10
CVE: CVE-2007-0450
impact: high
homepage: http://httpd.apache.org/
http://tomcat.apache.org/
found: 2006-11-27
by: D. Matscheko / SEC-CONSULT / www.sec-consult.com
=======================================================================

Vendor description:
---------------

The Apache HTTP Server Project is an effort to develop and maintain
an open-source HTTP server for modern operating systems including
UNIX and Windows NT. The goal of this project is to provide a
secure, efficient and extensible server that provides HTTP services
in sync with the current HTTP standards.

[Source: http://httpd.apache.org/]

Apache Tomcat is the servlet container that is used in the official
Reference Implementation for the Java Servlet and JavaServer Pages
technologies. The Java Servlet and JavaServer Pages specifications
are developed by Sun under the Java Community Process.

[Source: http://tomcat.apache.org/]


Vulnerability overview:
---------------

If the Apache HTTP Server and Tomcat are configured to interoperate
with the common proxy modules (mod_proxy, mod_rewrite, mod_jk), an
attacker might be able to break out of the intended destination
path up to the webroot in Tomcat.


Vulnerability description:
---------------

* The only character found to be accepted as directory separator
from Apache is "/" (slash).
* On the other hand Tomcat allows characters including URI encoded
characters like "/" (slash), "\" (backslash) or "%5C" (backslash
URI encoded).

This allowing an attacker to utilize directory traversing attack
methods.

Depending on the configuration HTTP requests, including strings like
"/\../" allow attackers to break out of the given context- and
directory structures.


Example / proof of concept:
---------------

As an example an URL like

"http://www.example.com/foo/\../manager/html"

would point to the Tomcat Manager Application. If the password for
the Tomcat Manager can be guessed, it is possible to deploy new
applications like e.g. a remote command shell.

Note: Using this method, the Tomcat Manager and also other web
applications can be accessed over port 80, even if they are not
proxied by the Apache HTTP Server. Port 8080 (the Tomcat HTTP port)
and 8009 (the Tomcat AJP port) can be and are assumed to be blocked
by a firewall.


Vulnerable versions:
---------------

Apache Tomcat < 5.5.22
Apache Tomcat < 6.0.10


Vendor status:
---------------

vendor notified: 2007-02-08
vendor response: 2007-02-08
patch available: 2007-02-28
disclosure: 2007-03-14


http://www.sec-consult.com/286.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to http://www.sec-consult.com/236.html

EOF David Matscheko / @2007
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close