tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Len Popp <len.p...@gmail.com>
Subject Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Date Thu, 04 Jun 2009 18:06:56 GMT
It looks to me like the change fixes an NPE when a null or nonsense
password is given. The NPE would allow an attacker to determine if a
username is valid (without having to know the password). Not the most
serious security breach, but login protocols aren't supposed to let
you guess usernames.
-- 
Len



On Thu, Jun 4, 2009 at 12:48, Christopher
Schultz<chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark,
>
> On 6/3/2009 11:42 AM, Mark Thomas wrote:
>> CVE-2009-0580: Tomcat information disclosure vulnerability
>
> I know I'm likely to get a vague response, but could you provide some
> more info about this issue?
>
>> Due to insufficient error checking in some authentication classes,
>> Tomcat allows for the enumeration (brute force testing) of usernames by
>> supplying illegally URL encoded passwords.
>
> [snip]
>
>> j_username=tomcat&j_password=%
>
> I'm not sure how the patch (I read the patch for TC5.5
> DataSourceRealm.java) changes anything at all: it appears to be merely a
> performance optimization.
>
> No changes are made to the behavior of Tomcat, since the same null is
> returned to the caller if the credentials do not match.
>
> I don't see any information disclosure vulnerability in the first place,
> and I don't see how your patch would have fixed it.
>
> ??!
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty
> MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk
> =iKFX
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message