tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Date Fri, 05 Jun 2009 15:57:33 GMT
Hash: SHA1


On 6/5/2009 7:03 AM, Mark Thomas wrote:
> Christopher Schultz wrote:
>> Mark,
>> On 6/3/2009 11:42 AM, Mark Thomas wrote:
>>> CVE-2009-0580: Tomcat information disclosure vulnerability
>> I know I'm likely to get a vague response, but could you provide some
>> more info about this issue?
> I'm sorry you have that impression. As I hope you see from this thread,
> the Tomcat security team is more than happy to discuss any vulnerability
> in detail once the vulnerability has been made public.

I'm sorry my comment came-off as annoyed or something like that. The
reason I made this "vague response" statement is because the last time I
asked about specifics of a particular security bugfix, you (I think)
said that the vulnerability was theoretical, the bugfix was basically to
prevent the possibility for exploitation, and that the vulnerability
wasn't directly demonstrable in the first place (which makes me question
the veracity of the claim in the first place).

I wasn't trying to be a troll.

Thanks for the response(s).

> You are correct that for the current DataSource and JDBC Realms that
> this is just a bug fix. However, for the MemoryRealm there is a test a
> line 150 that means the responses for a valid and invalid user when
> credentials are null are different. Valid users cause an NPE and a blank
> response. Invalid users get a login failed message.

Aah, I hadn't looked at MemoryRealm, specifically. I made the (foolish)
assumption that the changes in all the realms would be comparable.

> For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
> 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
> vulnerable.

I'm afraid I still don't understand the vulnerability in 5.5's
DataSourceRealm (the one I actually look at in detail): the NPE occurs
(in the unpatched code) regardless of the presence of a valid user(name).

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message