Apache Tomcat WebDAV directory traversal

apache-tomcat-webdav-dir-traversal (37243)

Medium Risk

Description:

Apache Tomcat could allow an authenticated remote attacker to traverse directories and view any known file on the system. An attacker could exploit this vulnerability by sending a specially-crafted WebDAV write request containing the absolute path of the targeted file within the SYSTEM ENTITY tag.

Note: This vulnerability also affects Apache Jakarta Slide.

Platforms Affected:

• Apache, Geronimo 1.0
• Apache, Geronimo 2.0.1
• Apache, Geronimo 2.0.2
• Apache, Jakarta Slide 2.1
• Apache, Tomcat 4.0
• Apache, Tomcat 4.0.0
• Apache, Tomcat 4.0.1
• Apache, Tomcat 4.0.2
• Apache, Tomcat 4.0.3
• Apache, Tomcat 4.0.4
• Apache, Tomcat 4.0.5
• Apache, Tomcat 4.0.6
• Apache, Tomcat 4.1
• Apache, Tomcat 4.1.0
• Apache, Tomcat 4.1.10
• Apache, Tomcat 4.1.12
• Apache, Tomcat 4.1.24
• Apache, Tomcat 4.1.31
• Apache, Tomcat 4.1.32
• Apache, Tomcat 4.1.34
• Apache, Tomcat 4.1.36
• Apache, Tomcat 4.1.37
• Apache, Tomcat 5.0
• Apache, Tomcat 5.0.0
• Apache, Tomcat 5.0.1
• Apache, Tomcat 5.0.10
• Apache, Tomcat 5.0.11
• Apache, Tomcat 5.0.12
• Apache, Tomcat 5.0.13
• Apache, Tomcat 5.0.14
• Apache, Tomcat 5.0.15
• Apache, Tomcat 5.0.16
• Apache, Tomcat 5.0.19
• Apache, Tomcat 5.0.2
• Apache, Tomcat 5.0.28
• Apache, Tomcat 5.0.3
• Apache, Tomcat 5.0.30
• Apache, Tomcat 5.0.4
• Apache, Tomcat 5.0.5
• Apache, Tomcat 5.0.6
• Apache, Tomcat 5.0.7
• Apache, Tomcat 5.0.8
• Apache, Tomcat 5.0.9
• Apache, Tomcat 5.1
• Apache, Tomcat 5.2
• Apache, Tomcat 5.3
• Apache, Tomcat 5.4
• Apache, Tomcat 5.5
• Apache, Tomcat 5.5.0
• Apache, Tomcat 5.5.1
• Apache, Tomcat 5.5.10
• Apache, Tomcat 5.5.11
• Apache, Tomcat 5.5.12
• Apache, Tomcat 5.5.13
• Apache, Tomcat 5.5.14
• Apache, Tomcat 5.5.15
• Apache, Tomcat 5.5.16
• Apache, Tomcat 5.5.17
• Apache, Tomcat 5.5.18
• Apache, Tomcat 5.5.19
• Apache, Tomcat 5.5.2
• Apache, Tomcat 5.5.20
• Apache, Tomcat 5.5.21
• Apache, Tomcat 5.5.22
• Apache, Tomcat 5.5.23
• Apache, Tomcat 5.5.24
• Apache, Tomcat 5.5.25
• Apache, Tomcat 5.5.3
• Apache, Tomcat 5.5.4
• Apache, Tomcat 5.5.5
• Apache, Tomcat 5.5.6
• Apache, Tomcat 5.5.7
• Apache, Tomcat 5.5.8
• Apache, Tomcat 5.5.9
• Apache, Tomcat 6.0
• Apache, Tomcat 6.0.0
• Apache, Tomcat 6.0.1
• Apache, Tomcat 6.0.10
• Apache, Tomcat 6.0.11
• Apache, Tomcat 6.0.12
• Apache, Tomcat 6.0.13
• Apache, Tomcat 6.0.14
• Apache, Tomcat 6.0.2
• Apache, Tomcat 6.0.3
• Apache, Tomcat 6.0.4
• Apache, Tomcat 6.0.5
• Apache, Tomcat 6.0.6
• Apache, Tomcat 6.0.7
• Apache, Tomcat 6.0.8
• Apache, Tomcat 6.0.9
• Apple, Mac OS X Server 10.5
• Apple, Mac OS X Server 10.5.1
• Apple, Mac OS X Server 10.5.2
• Apple, Mac OS X Server 10.5.3
• Apple, Mac OS X Server 10.5.4
• Apple, Mac OS X Server 10.5.5
• Debian, Debian Linux 4.0
• Gentoo, Linux
• IBM, WebSphere Application Server 1.0 Community
• IBM, WebSphere Application Server 1.0.0.1 Community
• IBM, WebSphere Application Server 1.0.1 Community
• IBM, WebSphere Application Server 1.0.1.1 Community
• IBM, WebSphere Application Server 1.0.1.2 Community
• IBM, WebSphere Application Server 1.1 Community
• IBM, WebSphere Application Server 1.1.0.1 Community
• IBM, WebSphere Application Server 1.1.0.2 Community
• IBM, WebSphere Application Server 2.0 Community
• MandrakeSoft, Mandrake Linux 2007.1
• MandrakeSoft, Mandrake Linux 2007.1 X86_64
• MandrakeSoft, Mandrake Linux 2008.0
• MandrakeSoft, Mandrake Linux 2008.0 X86_64
• RedHat, Application Stack v1 for EL AS 4
• RedHat, Application Stack v1 for EL ES 4
• RedHat, Enterprise Linux 5
• RedHat, Enterprise Linux 5 Client Workstation
• RedHat, Enterprise Linux 5 Client
• RedHat, JBoss Enterprise Application Platform 4.2.0 EL4
• RedHat, JBoss Enterprise Application Platform 4.2.0 EL5
• RedHat, Network Satellite Server 4.2
• RedHat, Network Satellite Server 5.0
• RedHat, Network Satellite Server 5.1
• RedHat, RHEL Application Server 2
• RedHat, RHEL Application Stack 2
• RedHat, RHEL Developer Suite 3
• Sun, Solaris 10 SPARC
• Sun, Solaris 10 x86
• Sun, Solaris 9 SPARC
• Sun, Solaris 9 x86
• VMware, ESX Server 3.5

Remedy:

Upgrade to the fixed version of Apache Tomcat WebDAV (5.5 or 6.0 or later), available from the Apache Tomcat SVN Repository. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Obtain Information

References:

• Apache Geronimo Web site, Potential vulnerability in Apache Tomcat Webdav servlet at http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html.
• Apache Tomcat SVN Repository, Apache Tomcat at http://tomcat.apache.org/svn.html.
• Apache Tomcat Web site, Apache Tomcat at http://tomcat.apache.org/.
• Apple Web site, About Security Update 2008-007 at http://support.apple.com/kb/HT3216.
• Full-Disclosure Mailing List, Sun Oct 14 2007 - 15:47:34 CDT, Apache Tomcat Rem0Te FiLe DiscloSure ZeroDay (W3bd4v) at http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html.
• IBM Flash (Alert) 1286112, Tomcat Webdav servlet security vulnerability in WebSphere Application Server Community Edition at http://www-1.ibm.com/support/docview.wss?uid=swg21286112.
• Jakarta Slide Web page, Jakarta Slide at http://jakarta.apache.org/slide/.
• Jakarta Slide Web site, The Jakarta Slide project at http://jakarta.apache.org/slide/.
• SA27398 , Apache Tomcat WebDAV Arbitrary File Content Disclosure at http://secunia.com/advisories/27398.
• Sun Alert ID: 239312, Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10 at http://sunsolve.sun.com/search/document.do?assetkey=1-66-239312-1.
• VMSA-2008-0010, Updated Tomcat and Java JRE packages for VMware ESX 3.5 at http://www.vmware.com/security/advisories/VMSA-2008-0010.html.
• ASA-2008-190: tomcat security update (RHSA-2008-0195)
• ASA-2008-293: Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10 (Sun 239312)
• ASA-2008-401: tomcat security update (RHSA-2008-0862)
• BID-26070: Apache Tomcat WebDav Remote Information Disclosure Vulnerability
• BID-31681: RETIRED: Apple Mac OS X 2008-007 Multiple Security Vulnerabilities
• CVE-2007-5461: Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
• CVE-2007-5731: Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, a related issue to CVE-2007-5461.
• DSA-1447: tomcat5.5 -- several vulnerabilities
• DSA-1453: tomcat5 -- several vulnerabilities
• FrSIRT/ADV-2007-3622: Apache Tomcat WebDAV Servlet Remote File Disclosure Vulnerability
• FrSIRT/ADV-2007-3671: IBM WebSphere Application Server Community Edition File Disclosure
• FrSIRT/ADV-2007-3674: Apache Geronimo Tomcat Webdav Servlet File Disclosure Vulnerability
• FrSIRT/ADV-2007-3699: Apache Jakarta Slide Webdav Servlet Arbitrary File Disclosure Issue
• FrSIRT/ADV-2008-1856: VMware ESX Server Security Update Fixes Multiple Vulnerabilities
• FrSIRT/ADV-2008-1979: Sun Solaris Tomcat JSP/Servlet Container Multiple Vulnerabilities
• FrSIRT/ADV-2008-1981: Apple Mac OS X Command Execution and Security Bypass Issues
• FrSIRT/ADV-2008-2780: Apple Mac OS X Code Execution and Security Bypass Vulnerabilities
• FrSIRT/ADV-2008-2823: Avaya Products Tomcat Security Bypass Vulnerabilities
• GLSA-200804-10: Tomcat: Multiple vulnerabilities
• MDKSA-2007:241: Updated tomcat5 packages fix multiple vulnerabilities
• RHSA-2008-0042: Moderate: tomcat security update
• RHSA-2008-0151: Moderate: JBoss Enterprise Application Platform 4.2.0CP02 security update
• RHSA-2008-0158: Moderate: JBoss Enterprise Application Platform security update
• RHSA-2008-0195: Moderate: tomcat security update
• RHSA-2008-0213: Moderate: JBoss Enterprise Application Platform 4.2.0CP02 security update
• RHSA-2008-0261: Moderate: Red Hat Network Satellite Server security update
• RHSA-2008-0524: Low: Red Hat Network Satellite Server security update
• RHSA-2008-0630: Low: Red Hat Network Satellite Server security update
• RHSA-2008-0862: Important: tomcat security update
• SA27398: Apache Tomcat WebDAV Arbitrary File Content Disclosure
• SA27446: WebSphere Application Server Community Edition WebDAV Content Disclosure
• SA27467: Apache Jakarta Slide WebDAV Arbitrary File Content Disclosure
• SA27481: Apache Geronimo WebDAV Arbitrary File Content Disclosure
• SA30676: VMware ESX Server update for Tomcat and Java JRE
• SA30802: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
• SA30899: Sun Solaris 9 Tomcat Multiple Vulnerabilities
• SA30908: Sun Solaris 10 Tomcat Multiple Vulnerabilities
• SA32222: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
• SECTRACK ID: 1018864: Tomcat WebDAV Servlet Lets Remote Users View Arbitrary Files
• SUSE-SR:2008:005: SUSE Security Summary Report

Reported:

Oct 14, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page