Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Java please advise.
*** Bug 173125 has been marked as a duplicate of this bug. ***
It's the maintainer's call :)
I have no problem with stabilization of 5.5.23 or 6.0.10. However both have been migrated to split-ant, and split-ant and etc has not been stabilized yet. So ebuild might need to be modified before stabilized.
Now for what's it's worth I can't replicate this problem at all. I have tried on machines that should be vulnerable but aren't At best with the exploit url modified for my domain and etc, I get a blank page. From both 5.5.20, and 6.0.10.
But I am all for stabilizing the current versions of Tomcat. 6.0.11 is likely to release later this week.
Ok, 5.5.23 has been updated to be non-split ant aware. So it can be stabilized ASAP once deps are stabilized. To address the security concerns, that I still have yet to be able to replicate.
As for 6.0.10, let's hold off. There is a mem leak in the nio code, and an upcoming 6.0.11 with that fix and some others. Not to mention only 5.5.x is stable. So that's our main concern per vulnerability.
(In reply to comment #5)
> Ok, 5.5.23 has been updated to be non-split ant aware. So it can be stabilized
> ASAP once deps are stabilized. To address the security concerns, that I still
> have yet to be able to replicate.
(In reply to comment #8)
> amd64 stable
Just to note that all arches are done now and security can do their magic.
This one is ready for GLSA decision.
i vote yes since attemps to read parent directories is very common agains webapps.
I vote yes, same reason as Falco - very common attack, very common webserver. Changing status and submitting request.
GLSA 200705-03, thanks everybody