tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Date Fri, 05 Jun 2009 16:18:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 6/5/2009 12:14 PM, Mark Thomas wrote:
> Christopher Schultz wrote:
>>> For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
>>> 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
>>> vulnerable.
>> I'm afraid I still don't understand the vulnerability in 5.5's
>> DataSourceRealm (the one I actually look at in detail): the NPE occurs
>> (in the unpatched code) regardless of the presence of a valid user(name).
> 
> You need to go back to what the code looked like between 5.5.0 and
> 5.5.5. It was very different back then.

Apologies: it's noon and I'm still bleary-eyed. I was reading "5.5.0 -
5.5.5" as "5.0 - 5.5". The actual "fix" then truly occurred between
5.5.0 and 5.5.5 in the 5.5.x branch, and the most recent commit amounts
to both a performance optimization and triple-check that this type of
bug won't bite again anytime soon.

Thanks for clarifying (again).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkopRXAACgkQ9CaO5/Lv0PBnGgCeOaKePvSB7Xm05aFqt0cPO6sR
sGkAn19hZSb02h8jGnLtugt/3bIyZn0b
=tJvn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message