tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Date Fri, 05 Jun 2009 16:14:52 GMT
Christopher Schultz wrote:
>> For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
>> 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
>> vulnerable.
> 
> I'm afraid I still don't understand the vulnerability in 5.5's
> DataSourceRealm (the one I actually look at in detail): the NPE occurs
> (in the unpatched code) regardless of the presence of a valid user(name).

You need to go back to what the code looked like between 5.5.0 and
5.5.5. It was very different back then.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message