tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Date Fri, 05 Jun 2009 02:31:20 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rémy,

On 6/4/2009 1:04 PM, Rémy Maucherat wrote:
> On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz
> <chris@christopherschultz.net> wrote:
>> I don't see any information disclosure vulnerability in the first place,
>> and I don't see how your patch would have fixed it.
>>
>> ??!
> 
> The behavior was different if the user is not found of if the password is wrong.
> (ok, the security issue is not exactly very serious)

To be sure, this is not very serious, but this method should return null
in all cases except for successful authentication. Under what conditions
would something non-null be returned if the authentication wasn't
successful?

I don't think an exception would be thrown, either, would it?

On 6/4/2009 2:06 PM, Len Popp wrote:
> It looks to me like the change fixes an NPE when a null or nonsense
> password is given.

That would certainly amount to an information disclosure, but I'm
reading the 5.5 trunk source
(http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java?revision=466608&pathrev=781379
: version just previous to the fix) and it looks like you'd get an NPE
whether the user was found in the database or not.

I suppose the argument could be made that sloppy credential handling
(that is, sloppy enough to allow an NPE) could possibly lead to such
information disclosure.

Time to go check-out securityfilter's source to see if we do this. Oh,
wait, we use Tomcat's realms :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkoog3gACgkQ9CaO5/Lv0PC+eQCgnQAZd4epH+5myPBWea4AR8FC
RDoAoKOuCrFk+Pgc653p15qTkqC1kqVx
=tICL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message