Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 173122 - www-servers/tomcat directory traversal (CVE-2007-0450)
Summary: www-servers/tomcat directory traversal (CVE-2007-0450)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B4 [glsa] jaervosz
Keywords:
: 173125 (view as bug list)
Depends on: 173150
Blocks:
  Show dependency tree
 
Reported: 2007-04-02 11:47 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-05-02 03:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-04-02 11:47:19 UTC
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-02 11:47:43 UTC
Java please advise.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-02 11:57:12 UTC
*** Bug 173125 has been marked as a duplicate of this bug. ***
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-04-02 12:30:04 UTC
It's the maintainer's call :)
Comment 4 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-04-02 13:31:55 UTC
I have no problem with stabilization of 5.5.23 or 6.0.10. However both have been migrated to split-ant, and split-ant and etc has not been stabilized yet. So ebuild might need to be modified before stabilized.

Now for what's it's worth I can't replicate this problem at all. I have tried on machines that should be vulnerable but aren't At best with the exploit url modified for my domain and etc, I get a blank page. From both 5.5.20, and 6.0.10.

But I am all for stabilizing the current versions of Tomcat. 6.0.11 is likely to release later this week.
Comment 5 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-04-02 16:32:59 UTC
Ok, 5.5.23 has been updated to be non-split ant aware. So it can be stabilized ASAP once deps are stabilized. To address the security concerns, that I still have yet to be able to replicate.

As for 6.0.10, let's hold off. There is a mem leak in the nio code, and an upcoming 6.0.11 with that fix and some others. Not to mention only 5.5.x is stable. So that's our main concern per vulnerability.
Comment 6 Petteri Räty (RETIRED) gentoo-dev 2007-04-02 16:34:27 UTC
(In reply to comment #5)
> Ok, 5.5.23 has been updated to be non-split ant aware. So it can be stabilized
> ASAP once deps are stabilized. To address the security concerns, that I still
> have yet to be able to replicate.
> 

Adding arches.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-04-03 07:40:35 UTC
x86 stable
Comment 8 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-04-07 00:35:50 UTC
amd64 stable
Comment 9 Petteri Räty (RETIRED) gentoo-dev 2007-04-09 00:32:29 UTC
(In reply to comment #8)
> amd64 stable
> 

Just to note that all arches are done now and security can do their magic.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-11 10:39:28 UTC
Thx.

This one is ready for GLSA decision.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-23 19:57:23 UTC
i vote yes since attemps to read parent directories is very common agains webapps.
Comment 12 Matt Drew (RETIRED) gentoo-dev 2007-04-24 19:49:27 UTC
I vote yes, same reason as Falco - very common attack, very common webserver.  Changing status and submitting request.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-02 03:03:43 UTC
GLSA 200705-03, thanks everybody