ISS X-Force Database: tomcat-proxy-directory-traversal(32988): Apache Tomcat proxy module directory traversal

Apache Tomcat proxy module directory traversal

tomcat-proxy-directory-traversal (32988)

Medium Risk

Description:

Apache Tomcat when used with Apache HTTP Server could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the mod_proxy, mod_rewrite, or mod_jk proxy modules containing "dot dot" sequences (/../) appended with "/", "\", or "%5C" characters to view arbitrary files on the system and possibly gain access to the Tomcat Manager Application.

Platforms Affected:

Apache, HTTP Server
Apache, Tomcat 5.0.19
Apache, Tomcat 5.0.28
Apache, Tomcat 5.5.0
Apache, Tomcat 5.5.1
Apache, Tomcat 5.5.10
Apache, Tomcat 5.5.11
Apache, Tomcat 5.5.12
Apache, Tomcat 5.5.13
Apache, Tomcat 5.5.14
Apache, Tomcat 5.5.15
Apache, Tomcat 5.5.16
Apache, Tomcat 5.5.17
Apache, Tomcat 5.5.18
Apache, Tomcat 5.5.19
Apache, Tomcat 5.5.2
Apache, Tomcat 5.5.20
Apache, Tomcat 5.5.21
Apache, Tomcat 5.5.22
Apache, Tomcat 5.5.3
Apache, Tomcat 5.5.4
Apache, Tomcat 5.5.5
Apache, Tomcat 5.5.6
Apache, Tomcat 5.5.7
Apache, Tomcat 5.5.8
Apache, Tomcat 5.5.9
Apache, Tomcat 6.0.9
Apple, Mac OS X Server 10.4.10
CA, Cohesion Application Configuration Manager 4.5
CA, Cohesion Application Configuration Manager 4.5 SP1
Gentoo, Linux
HP, HP-UX B.11.11
HP, HP-UX B.11.23
HP, HP-UX B.11.31
MandrakeSoft, Mandrake Linux 2007.1 X86_64
MandrakeSoft, Mandrake Linux 2007.1
MandrakeSoft, Mandrake Linux 2008.0 X86_64
MandrakeSoft, Mandrake Linux 2008.0
RedHat, Application Stack v1 for EL AS 4
RedHat, Application Stack v1 for EL ES 4
RedHat, Enterprise Linux 4 ES
RedHat, Enterprise Linux 5 Client Workstation
RedHat, Enterprise Linux 5 Client
RedHat, Enterprise Linux 5 Server
RedHat, Enterprise Linux 5
RedHat, Enterprise Linux Desktop 5.0
RedHat, Linux Advanced Workstation 2.1 Itanium
RedHat, Network Satellite Server 4.0
RedHat, Network Satellite Server 4.1
RedHat, Network Satellite Server 4.2
RedHat, Network Satellite Server 5.0
RedHat, Network Satellite Server 5.0
RedHat, RHEL Application Server 2
RedHat, RHEL Developer Suite 3
Sun, Solaris 10 x86
Sun, Solaris 10 SPARC
Sun, Solaris 9 x86
Sun, Solaris 9 SPARC
SuSE, SuSE Linux
VMware, ESX Server 3.0.1
VMware, ESX Server 3.0.2
VMware, VirtualCenter Management Server 2.0.2

Remedy:

Upgrade to the latest version of Apache Tomcat (6.0.10, 5.5.23, or later), available from the Apache Tomcat Web site. See References.

For Gentoo Linux:
Refer to GLSA 200705-03 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux:
Refer to RHSA-2007:0327 for patch, upgrade, or suggested workaround information. See References.

For Mac OS:
Apply Apple Security Update 2007-007, available from the Apple Web site. See References.

For SUSE Linux:
Refer to SUSE-SR:2007:015 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

Apache Tomcat Web site, Apache Tomcat - Apache Tomcat at http://tomcat.apache.org/.
Apple Security Update 2007-007 , About Security Update 2007-007 at http://docs.info.apple.com/article.html?artnum=306172.
Apple Web site, Apple security updates at http://docs.info.apple.com/article.html?artnum=61798.
CA Security Response Blog, Jan 23 2009, 06:04 PM, CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities at http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23/ca20090123-01-cohesion-tomcat-multiple-vulnerabilities.aspx.
CA20090123-01, Security Notice for Cohesion Tomcat at https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540.
FUJITSU Web site, Directory traversal vulnerabilities in Interstage Application Server(CVE-2007-0450). September 6th, 2007 at http://www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.html.
Full-Disclosure Mailing List, Wed Mar 14 2007 - 08:19:59 CDT, SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversal at http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0167.html.
HPSBUX02262 SSRT071447, HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795.
Security-announce Mailing List, Mon Jan 7 17:56:48 PST 2008 , VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 at http://lists.vmware.com/pipermail/security-announce/2008/000003.html.
Sun Alert ID: 239312, Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10 at http://sunsolve.sun.com/search/document.do?assetkey=1-66-239312-1.
ASA-2007-206: tomcat security update (RHSA-2007-0326)
ASA-2007-208: JBossAS security update (RHSA-2007-0360)
ASA-2007-265: tomcat security update (RHSA-2007-0328)
ASA-2007-416: HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) (HPSBUX02262)
ASA-2008-293: Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10 (Sun 239312)
BID-22960: Apache HTTP Server Tomcat Directory Traversal Vulnerability
BID-25159: Apple Mac OS X 2007-007 Multiple Security Vulnerabilities
CVE-2007-0450: Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) / (slash), (2) \ (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
GLSA-200705-03: Tomcat: Information disclosure
MDKSA-2007:241: Updated tomcat5 packages fix multiple vulnerabilities
RHSA-2007-0326: Important: tomcat security update
RHSA-2007-0327: Important: tomcat security update
RHSA-2007-0328: Important: tomcat security update
RHSA-2007-0340: Important: tomcat security update
RHSA-2007-0360: Important: jbossas security update
RHSA-2007-1069: Moderate: tomcat security update for Red Hat Network Satellite Server
RHSA-2008-0261: Moderate: Red Hat Network Satellite Server security update
RHSA-2008-0524: Low: Red Hat Network Satellite Server security update
SA24732: Apache Tomcat Directory Traversal Security Issue
SA26235: Mac OS X Security Update Fixes Multiple Vulnerabilities
SA26660: Interstage Application Server Multiple Vulnerabilities
SA28365: VMware ESX Server and VirtualCenter Multiple Security Updates
SA30899: Sun Solaris 9 Tomcat Multiple Vulnerabilities
SA30908: Sun Solaris 10 Tomcat Multiple Vulnerabilities
SA33668: CA Cohesion Application Configuration Manager Apache Tomcat Multiple Vulnerabilities
SUSE-SR:2007:005: SUSE Security Summary Report
SUSE-SR:2007:015: SUSE Security Summary Report
VUPEN/ADV-2007-0975: Apache Tomcat HTTP Request Handling Remote Directory Traversal Vulnerability
VUPEN/ADV-2007-2732: Apple Mac OS X Multiple Code Execution and Denial of Service Vulnerabilities
VUPEN/ADV-2007-3087: Fujitsu Interstage Studio Cross Site Scripting and Security Bypass Vulnerabilities
VUPEN/ADV-2007-3386: HP-UX Apache Code Execution and Cross Site Scripting Vulnerabilities
VUPEN/ADV-2008-0065: VMware ESX Server and VirtualCenter Multiple Code Execution Issues
VUPEN/ADV-2008-1979: Sun Solaris Tomcat JSP/Servlet Container Multiple Vulnerabilities
VUPEN/ADV-2009-0233: CA Cohesion Apache Tomcat Multiple Security Bypass Vulnerabilities

Reported:

Mar 14, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page