tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Date Fri, 05 Jun 2009 02:31:20 GMT
Hash: SHA1


On 6/4/2009 1:04 PM, Rémy Maucherat wrote:
> On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz
> <> wrote:
>> I don't see any information disclosure vulnerability in the first place,
>> and I don't see how your patch would have fixed it.
>> ??!
> The behavior was different if the user is not found of if the password is wrong.
> (ok, the security issue is not exactly very serious)

To be sure, this is not very serious, but this method should return null
in all cases except for successful authentication. Under what conditions
would something non-null be returned if the authentication wasn't

I don't think an exception would be thrown, either, would it?

On 6/4/2009 2:06 PM, Len Popp wrote:
> It looks to me like the change fixes an NPE when a null or nonsense
> password is given.

That would certainly amount to an information disclosure, but I'm
reading the 5.5 trunk source
: version just previous to the fix) and it looks like you'd get an NPE
whether the user was found in the database or not.

I suppose the argument could be made that sloppy credential handling
(that is, sloppy enough to allow an NPE) could possibly lead to such
information disclosure.

Time to go check-out securityfilter's source to see if we do this. Oh,
wait, we use Tomcat's realms :)

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message