Exploit the possiblities
Showing 1 - 25 of 68 RSS Feed

Files from Mark Thomas

Email addressmarkt at apache.org
First Active2007-05-22
Last Active2017-04-10
Apache Tomcat 7.x / 8.x / 9.x Information Disclosure
Posted Apr 10, 2017
Authored by Mark Thomas | Site tomcat.apache.org

While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. Apache Tomcat versions 7.0.0 through 7.0.75, 8.0.0.RC1 through 8.0.41, 8.5.0 through 8.5.11, and 9.0.0.M1 through 9.0.0.M17 are affected.

tags | advisory, web
advisories | CVE-2017-5648
MD5 | edf987c7d7f59ee5f0bb2cacdb6d0c4c
Apache Tomcat 8.x / 9.x Refactoring Information Disclosure
Posted Apr 10, 2017
Authored by Mark Thomas | Site tomcat.apache.org

The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. Apache Tomcat versions 8.5.0 through 8.5.12 and 9.0.0.M1 through 9.0.0.M18 are affected.

tags | advisory, web
advisories | CVE-2017-5651
MD5 | e9f6d09a47719cc3fefeacc7e674ddb0
Apache Tomcat 9.0.0.M13 / 8.5.8 Information Disclosure
Posted Dec 12, 2016
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat versions 9.0.0.M1 to 9.0.0.M13 and 8.5.0 to 8.5.8 suffer from an information disclosure vulnerability.

tags | advisory, info disclosure
advisories | CVE-2016-8745
MD5 | 5dd659d7f3fb668f87dd57fe16c2a7cd
Apache Tomcat JK ISAPI Connector 1.2.41 Buffer Overflow
Posted Oct 11, 2016
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat JK ISAPI Connector versions 1.2.0 through 1.2.41 suffer from a buffer overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2016-6808
MD5 | e85a9b5213fc6c413a4de97cb390b876
Apache Tomcat Security Manager Bypass
Posted Feb 23, 2016
Authored by Mark Thomas | Site tomcat.apache.org

ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. Apache Tomcat versions 7.0.0 through 7.0.67, 8.0.0.RC1 through 8.0.30, and 9.0.0.M1 through 9.0.0.M2 are affected.

tags | advisory, web
advisories | CVE-2016-0763
MD5 | 112e004efaeced2fb60845b506cae23d
Apache Tomcat Directory Disclosure
Posted Feb 23, 2016
Authored by Mark Thomas | Site tomcat.apache.org

When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was therefore possible for a user to determine if a directory existed or not, even if the user was not permitted to view the directory. The issue also occurred at the root of a web application in which case the presence of the web application was confirmed, even if a user did not have access. Apache Tomcat versions 6.0.0 through 6.0.44, 7.0.0 through 7.0.65, and 8.0.0.RC1 through 8.0.29.

tags | advisory, web, root
advisories | CVE-2015-5345
MD5 | 417be5a08eca0d569330765e7eec5d08
Apache Tomcat Limited Directory Traversal
Posted Feb 22, 2016
Authored by Mark Thomas | Site tomcat.apache.org

When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. The validation was not correct and paths of the form "/.." were not rejected. Note that paths starting with "/../" were correctly rejected. Apache Tomcat versions 6.0.0 through 6.0.44, 7.0.0 through 7.0.64, and 8.0.0.RC1 through 8.0.26.

tags | advisory, web
advisories | CVE-2015-5174
MD5 | b46639530618df68a6b54c22e31d30a7
Apache Tomcat CSRF Token Leak
Posted Feb 22, 2016
Authored by Mark Thomas | Site tomcat.apache.org

The index page of the Manager and Host Manager applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to construct a CSRF attack. Apache Tomcat versions 7.0.1 through 7.0.67, 8.0.0.RC1 through 8.0.31, and 9.0.0.M1 are affected.

tags | advisory, web, root
advisories | CVE-2015-5351
MD5 | 13d06389e7723e26a16ec716117e92fb
Apache Tomcat Security Manager StatusManagerServlet Bypass
Posted Feb 22, 2016
Authored by Mark Thomas | Site tomcat.apache.org

The StatusManagerServlet could be loaded by a web application when a security manager was configured. This servlet would then provide the web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications such as session IDs to the web application. Apache Tomcat versions 6.0.0 through 6.0.44, 7.0.0 through 7.0.67, 8.0.0.RC1 through 8.0.30, and 9.0.0.M1 are affected.

tags | advisory, web
advisories | CVE-2016-0706
MD5 | 11b7b49d8b9c8b774f372a62458eb542
Apache Tomcat Session Fixation
Posted Feb 22, 2016
Authored by Mark Thomas | Site tomcat.apache.org

When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration. Apache Tomcat versions 7.0.5 through 7.0.65, 8.0.0.RC1 through 8.0.30, and 9.0.0.M1 are affected.

tags | advisory, web
advisories | CVE-2015-5346
MD5 | 4c28624d20682b4c548e0c8ee7d33a5c
Apache Tomcat Security Manager Persistence Bypass
Posted Feb 22, 2016
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The Cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code. Apache Tomcat versions 6.0.0 through 6.0.44, 7.0.0 through 7.0.67, 8.0.0.RC1 through 8.0.30, and 9.0.0.M1 are affected.

tags | advisory, web, arbitrary
advisories | CVE-2016-0714
MD5 | 0161201165f0e16b92a808ed998fb0e6
Apache Tomcat Security Manager Bypass
Posted May 14, 2015
Authored by Mark Thomas | Site tomcat.apache.org

Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. This issue only affects installations that run web applications from untrusted sources. Apache Tomcat versions 8.0.0-RC1 to 8.0.15, 7.0.0 to 7.0.57, and 6.0.0 to 6.0.43 are affected.

tags | advisory, web, bypass
advisories | CVE-2014-7810
MD5 | 410d6bc8ebb05d4a1ec751f0d6ef088b
Apache Tomcat 7.0.39 Remote Code Execution
Posted Sep 10, 2014
Authored by Mark Thomas, Pierre Ernst | Site tomcat.apache.org

In very limited circumstances, it was possible for an attacker to upload a malicious JSP to a Tomcat server and then trigger the execution of that JSP. While Remote Code Execution would normally be viewed as a critical vulnerability, the circumstances under which this is possible are, in the view of the Tomcat security team, sufficiently limited that this vulnerability is viewed as important. Apache Tomcat versions 7.0.0 through 7.0.39 are affected.

tags | advisory, remote, code execution
advisories | CVE-2013-4444
MD5 | 6f71df48b43e53b12fd987b6c4f4c4b1
Apache Tomcat XML Parser Information Disclosure
Posted May 30, 2014
Authored by Mark Thomas | Site tomcat.apache.org

In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.5, Apache Tomcat 7.0.0 to 7.0.53, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, web
advisories | CVE-2014-0119
MD5 | 5bf0de101075a8680add82c3a1818657
Apache Tomcat XSLT Information Disclosure
Posted May 30, 2014
Authored by Mark Thomas | Site tomcat.apache.org

The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, web
advisories | CVE-2014-0096
MD5 | 6239c35f875e5fb748a963512ba6bf99
Apache Tomcat Information Disclosure
Posted May 29, 2014
Authored by Mark Thomas | Site tomcat.apache.org

The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, overflow
advisories | CVE-2014-0099
MD5 | 5111e908ad08ae8ebd18c203b6493da1
Apache Tomcat Denial Of Service
Posted May 29, 2014
Authored by Mark Thomas | Site tomcat.apache.org

It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, denial of service
advisories | CVE-2014-0075
MD5 | 58481d1d8cde56b09ee7b37ef3cc2cf1
Apache Tomcat Denial Of Service
Posted May 29, 2014
Authored by Mark Thomas | Site tomcat.apache.org

A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Versions affected include Apache Tomcat 8.0.0-RC2 to 8.0.3.

tags | advisory, denial of service
advisories | CVE-2014-0095
MD5 | a5c4c65f29ed8306dcd76c7893ccc1dc
Apache Struts ClassLoader Manipulation Remote Code Execution
Posted May 2, 2014
Authored by Mark Thomas, Przemyslaw Celej | Site metasploit.com

This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.16.2. This issue is caused because the ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation, which allows remote attackers to execute arbitrary Java code via crafted parameters.

tags | exploit, java, remote, arbitrary
advisories | CVE-2014-0094, CVE-2014-0112
MD5 | 319dec4b888717b00b12adae3a924a59
Apache Tomcat Information Disclosure Via XXE
Posted Feb 26, 2014
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat versions 8.0.0-RC1 through 8.0.0-RC5, 7.0.0 through 7.0.47, and 6.0.0 through 6.0.37 suffer from an information disclosure vulnerability via XXE when running untrusted web applications.

tags | advisory, web, info disclosure
advisories | CVE-2013-4590
MD5 | 0eeec36c4a472deb572d0172dc72641e
Apache Tomcat Denial Of Service
Posted Feb 26, 2014
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat versions 8.0.0-RC1 through 8.0.0-RC5, 7.0.0 through 7.0.47, and 6.0.0 through 6.0.37 suffer from a denial of service vulnerability due to an incomplete fix for CVE-2012-3544.

tags | advisory, denial of service
advisories | CVE-2012-3544, CVE-2013-4322
MD5 | 400469129e73f607c8550c11f22ca095
Apache Tomcat Session Fixation
Posted Feb 25, 2014
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat versions 6.0.33 through 6.0.37 suffer from a session fixation vulnerability.

tags | advisory
advisories | CVE-2014-0033
MD5 | 79e6f4fd5da771d4831b4876691affe6
Apache Tomcat Information Disclosure
Posted Feb 25, 2014
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat versions 8.0.0-RC1, 7.0.0 through 7.0.42, and 6.0.0 through 6.0.37 suffer from an information disclosure vulnerability due to an incomplete fix for CVE-2005-2090.

tags | advisory, info disclosure
advisories | CVE-2005-2090, CVE-2013-4286
MD5 | ae23ddedd56b3c796ffd54760386c25e
Apache Commons FileUpload / Apache Tomcat Denial Of Service
Posted Feb 7, 2014
Authored by Mark Thomas | Site tomcat.apache.org

It is possible to craft a malformed Content-Type header for a multipart request that causes Apache Commons FileUpload to enter an infinite loop. A malicious user could, therefore, craft a malformed request that triggered a denial of service. Affected include Apache Tomcat versions 7.0.0 through 7.0.50, 8.0.0-RC1 through 8.0.1, and Apache Commons FileUpload versions 1.0 through 1.3.

tags | advisory, denial of service
advisories | CVE-2014-0050
MD5 | 74c15a9ee9199cea345a890efda3be94
Apache Tomcat 7.0.39 AsyncListener RuntimeException
Posted May 10, 2013
Authored by Mark Thomas | Site tomcat.apache.org

There was a scenario where elements of a previous request may be exposed to a current request. This was very difficult to exploit deliberately but fairly likely to happen unexpectedly if an application used AsyncListeners that threw RuntimeExceptions. The issue was fixed by catching the RuntimeExceptions. Apache Tomcat versions 7.0.0 through 7.0.39 are affected.

tags | advisory
advisories | CVE-2013-2071
MD5 | e16543105168294d7b5588e6bbef8b21
Page 1 of 3
Back123Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close