tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Date Fri, 05 Jun 2009 11:03:57 GMT
Christopher Schultz wrote:
> Mark,
> 
> On 6/3/2009 11:42 AM, Mark Thomas wrote:
>> CVE-2009-0580: Tomcat information disclosure vulnerability
> 
> I know I'm likely to get a vague response, but could you provide some
> more info about this issue?

I'm sorry you have that impression. As I hope you see from this thread,
the Tomcat security team is more than happy to discuss any vulnerability
in detail once the vulnerability has been made public.

>> j_username=tomcat&j_password=%
> 
> I'm not sure how the patch (I read the patch for TC5.5
> DataSourceRealm.java) changes anything at all: it appears to be merely a
> performance optimization.

Not quite.

> No changes are made to the behavior of Tomcat, since the same null is
> returned to the caller if the credentials do not match.

If the credentials are null (eg a password via FORM auth with invalid
encoding) then there is an NPE. It is as a result of lines 332/334
(5.5.x, post patch). If credentials is null then digest(credentials) is
also null which results in an NPE when we try
digest(credentials).equals(...)

The NPE results isn't handled and results in a blank response back to
the client.

> I don't see any information disclosure vulnerability in the first place,
> and I don't see how your patch would have fixed it.

The patch stops this NPE from happening and ensures that users get a
"login failed" message rather than a blank screen.

You are correct that for the current DataSource and JDBC Realms that
this is just a bug fix. However, for the MemoryRealm there is a test a
line 150 that means the responses for a valid and invalid user when
credentials are null are different. Valid users cause an NPE and a blank
response. Invalid users get a login failed message.

For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
vulnerable.

I'll issue an update to the vulnerability notice to clarify this.

If you have any further questions, please do ask.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message