SEC Consult Security Advisory < 20070314-0 > ======================================================================= title: Apache HTTP Server / Tomcat directory traversal program: Apache HTTP Server / Apache Tomcat vulnerable version: Apache Tomcat 5.x: < 5.5.22 Apache Tomcat 6.x: < 6.0.10 CVE: CVE-2007-0450 impact: high homepage: http://httpd.apache.org/ http://tomcat.apache.org/ found: 2006-11-27 by: D. Matscheko / SEC-CONSULT / www.sec-consult.com ======================================================================= Vendor description: --------------- The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. [Source: http://httpd.apache.org/] Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. [Source: http://tomcat.apache.org/] Vulnerability overview: --------------- If the Apache HTTP Server and Tomcat are configured to interoperate with the common proxy modules (mod_proxy, mod_rewrite, mod_jk), an attacker might be able to break out of the intended destination path up to the webroot in Tomcat. Vulnerability description: --------------- * The only character found to be accepted as directory separator from Apache is "/" (slash). * On the other hand Tomcat allows characters including URI encoded characters like "/" (slash), "\" (backslash) or "%5C" (backslash URI encoded). This allowing an attacker to utilize directory traversing attack methods. Depending on the configuration HTTP requests, including strings like "/\../" allow attackers to break out of the given context- and directory structures. Example / proof of concept: --------------- As an example an URL like "http://www.example.com/foo/\../manager/html" would point to the Tomcat Manager Application. If the password for the Tomcat Manager can be guessed, it is possible to deploy new applications like e.g. a remote command shell. Note: Using this method, the Tomcat Manager and also other web applications can be accessed over port 80, even if they are not proxied by the Apache HTTP Server. Port 8080 (the Tomcat HTTP port) and 8009 (the Tomcat AJP port) can be and are assumed to be blocked by a firewall. Vulnerable versions: --------------- Apache Tomcat < 5.5.22 Apache Tomcat < 6.0.10 Vendor status: --------------- vendor notified: 2007-02-08 vendor response: 2007-02-08 patch available: 2007-02-28 disclosure: 2007-03-14 http://www.sec-consult.com/286.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com SEC Consult conducts periodical information security workshops on ISO 27001/BS 7799 in cooperation with BSI Management Systems. For more information, please refer to http://www.sec-consult.com/236.html EOF David Matscheko / @2007