Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 273662 (CVE-2008-5515) - <=www-servers/tomcat-{6.0.18, 5.5.27-r3} RequestDispatcher directory traversal (CVE-2008-5515)
Summary: <=www-servers/tomcat-{6.0.18, 5.5.27-r3} RequestDispatcher directory traversa...
Status: RESOLVED FIXED
Alias: CVE-2008-5515
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://tomcat.apache.org/security.html
Whiteboard: B3 [glsa]
Keywords:
Depends on: CVE-2009-0033 273931 329937
Blocks: 322979
  Show dependency tree
 
Reported: 2009-06-10 22:12 UTC by Mike Weissman
Modified: 2012-06-24 14:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Weissman 2009-06-10 22:12:00 UTC
Updated to add additional patches required for 5.5.x and 4.1.x

CVE-2008-5515: Apache Tomcat information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18

Description:
When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

Example:
For a page that contains:
<%
request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" +
    request.getParameter( "blah" ) ).forward( request, response ); %>

an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml

Credit:
This issue was discovered by Iida Minehiko, Fujitsu Limited


Submitting Patches and along with Patches to Ebuild


Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-17 10:25:01 UTC
CVE-2008-5515 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5515):
  Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0
  through 6.0.18, and possibly earlier versions normalizes the target
  pathname before filtering the query string when using the
  RequestDispatcher method, which allows remote attackers to bypass
  intended access restrictions and conduct directory traversal attacks
  via .. (dot dot) sequences and the WEB-INF directory in a Request.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-09 16:38:18 UTC
Will be added to glsa request.
Comment 3 Miroslav Šulc gentoo-dev 2011-12-24 20:34:42 UTC
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 18:10:48 UTC
This CVE is already on an existing GLSA request, so added the bug too.
Comment 5 Miroslav Šulc gentoo-dev 2012-03-25 20:24:05 UTC
what is the status of this bug? there is no affected version in the tree for quite some time.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:12:14 UTC
This issue was resolved and addressed in
 GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).