Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 7726 invoked from network); 8 Feb 2008 23:20:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Feb 2008 23:20:09 -0000 Received: (qmail 3242 invoked by uid 500); 8 Feb 2008 23:19:44 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 3132 invoked by uid 500); 8 Feb 2008 23:19:44 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 3105 invoked by uid 99); 8 Feb 2008 23:19:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Feb 2008 15:19:44 -0800 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [64.97.136.176] (HELO n064.sc1.he.tucows.com) (64.97.136.176) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Feb 2008 23:19:12 +0000 Received: from sc1-out04.emaildefenseservice.com (64.97.139.2) by n064.sc1.he.tucows.com (7.2.069.1) id 476977050097DC43; Fri, 8 Feb 2008 23:19:19 +0000 X-SpamScore: 20 X-Spamcatcher-Summary: 20,1.5,0,bf58ca5522044ba3,c9579c24902caaa6,markt@apache.org,-,RULES_HIT:355:379:509:854:967:973:979:980:982:988:989:996:1042:1187:1260:1261:1277:1311:1313:1314:1345:1361:1362:1363:1364:1437:1515:1516:1518:1534:1541:1593:1594:1696:1711:1730:1747:1766:1792:2393:2525:2553:2560:2568:2627:2682:2685:2828:2857:2859:2894:2933:2937:2939:2942:2945:2947:2951:2954:3022:3352:3636:3865:3866:3867:3869:3872:3934:3936:3938:3941:3944:4077:4080:4321:4383:4839:5007:6117:6119: 7652:7679,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none X-Spamcatcher-Explanation: (39%) SPAMTRICK: URL host contains "+";(20%) URL: contains host with port number;(-18%) URL: weird port adjustment;(-22%) BODY: contains PGP encrypted key; Received: from [192.168.0.100] (unknown [91.109.185.154]) (Authenticated sender: med.thomas) by sc1-out04.emaildefenseservice.com (Postfix) with ESMTP; Fri, 8 Feb 2008 23:19:17 +0000 (UTC) Message-ID: <47ACE373.5080907@apache.org> Date: Fri, 08 Feb 2008 23:19:15 +0000 From: Mark Thomas User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Tomcat Users List , Tomcat Developers List , bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk CC: Apache Tomcat private security list Subject: [SECURITY] CVE-2007-5333: Tomcat Cookie handling vulnerabilities X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2007-5333: Tomcat Cookie handling vulnerabilities Severity: low - Session hi-jacking Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.36 Tomcat 5.5.0 to 5.5.25 Tomcat 6.0.0 to 6.0.14 Description: The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value. Mitigation: 6.0.x users should upgrade to Tomcat 6.0.16 or later 5.5.x users should upgrade to Tomcat 5.5.26 or later 4.1.x users should build from the latest svn source Examples: +++ GET /myapp/MyCookies HTTP/1.1 Host: localhost Cookie: name="val " ue" Cookie: name1=moi +++ http://example:8080/examples/servlets/servlet/CookieExample?cookiename=test&cookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B Credit: The quotes issue was reported by John Kew. The %5C issue was reported by Ishikawa Yoshihiro via JPCERT/CC. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrONyb7IeiTPGAkMRAgKrAJwIX1fbtGT7iualwzRK8BDi+QRAkQCg3cMo 58hTHdwJzeFxLXgkLRQwBKk= =Dnsp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org