Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 94410 invoked from network); 5 Jun 2009 11:04:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 5 Jun 2009 11:04:24 -0000 Received: (qmail 91968 invoked by uid 500); 5 Jun 2009 11:04:32 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 91919 invoked by uid 500); 5 Jun 2009 11:04:32 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 91908 invoked by uid 99); 5 Jun 2009 11:04:32 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Jun 2009 11:04:32 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [193.252.22.151] (HELO smtp6.freeserve.com) (193.252.22.151) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Jun 2009 11:04:23 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3502.me.freeserve.com (SMTP Server) with ESMTP id 90BD67000089 for ; Fri, 5 Jun 2009 13:04:01 +0200 (CEST) Received: from smtp.homeinbox.net (unknown [91.109.147.237]) by mwinf3502.me.freeserve.com (SMTP Server) with ESMTP id 6420E7000087 for ; Fri, 5 Jun 2009 13:04:01 +0200 (CEST) X-ME-UUID: 20090605110401410.6420E7000087@mwinf3502.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by smtp.homeinbox.net (Postfix) with ESMTP id 8DE1B1A4D0F for ; Fri, 5 Jun 2009 12:04:14 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from smtp.homeinbox.net ([127.0.0.1]) by localhost (server01.dev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4HppL3GslvgP for ; Fri, 5 Jun 2009 12:04:11 +0100 (BST) Received: from [192.168.0.9] (study03.dev.local [192.168.0.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.homeinbox.net (Postfix) with ESMTPSA id 287141A426E for ; Fri, 5 Jun 2009 12:04:11 +0100 (BST) Message-ID: <4A28FB9D.5010704@apache.org> Date: Fri, 05 Jun 2009 12:03:57 +0100 From: Mark Thomas User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication References: <4A2699C9.3070402@apache.org> <4A27FAD3.8060202@christopherschultz.net> In-Reply-To: <4A27FAD3.8060202@christopherschultz.net> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Christopher Schultz wrote: > Mark, > > On 6/3/2009 11:42 AM, Mark Thomas wrote: >> CVE-2009-0580: Tomcat information disclosure vulnerability > > I know I'm likely to get a vague response, but could you provide some > more info about this issue? I'm sorry you have that impression. As I hope you see from this thread, the Tomcat security team is more than happy to discuss any vulnerability in detail once the vulnerability has been made public. >> j_username=tomcat&j_password=% > > I'm not sure how the patch (I read the patch for TC5.5 > DataSourceRealm.java) changes anything at all: it appears to be merely a > performance optimization. Not quite. > No changes are made to the behavior of Tomcat, since the same null is > returned to the caller if the credentials do not match. If the credentials are null (eg a password via FORM auth with invalid encoding) then there is an NPE. It is as a result of lines 332/334 (5.5.x, post patch). If credentials is null then digest(credentials) is also null which results in an NPE when we try digest(credentials).equals(...) The NPE results isn't handled and results in a blank response back to the client. > I don't see any information disclosure vulnerability in the first place, > and I don't see how your patch would have fixed it. The patch stops this NPE from happening and ensures that users get a "login failed" message rather than a blank screen. You are correct that for the current DataSource and JDBC Realms that this is just a bug fix. However, for the MemoryRealm there is a test a line 150 that means the responses for a valid and invalid user when credentials are null are different. Valid users cause an NPE and a blank response. Invalid users get a login failed message. For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'll issue an update to the vulnerability notice to clarify this. If you have any further questions, please do ask. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org