You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2007/08/14 05:28:21 UTC
CVE-2007-3382: Handling of cookies containing a ' character
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2007-3382: Handling of cookies containing a ' character
Severity:
Low (Session Hi-jacking)
Vendor:
The Apache Software Foundation
Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24
5.0.0 to 5.0.30
4.1.0 to 4.1.36
3.3 to 3.3.2
Description:
Tomcat incorrectly treats a single quote character (') in a cookie
value as a delimiter. In some circumstances this can lead to the
leaking of information such as session ID to an attacker.
Mitigation:
Upgrade to 6.0.14
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
http://localost:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKER&cookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGwSFVb7IeiTPGAkMRAjkwAKDnu+C08WRZazmZfzunFeHcitsvnACg3CtP
6c6FCxbFOcfxhqqayg8kdUI=
=MkDj
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2007-3382: Handling of cookies containing a ' character
Posted by jkew <jo...@sourcelabs.com>.
Rainer Jung wrote:
> Until now I didn't notice a commited fix for the cookie problem, but
> Mark or Filip might comment whether there are plans to include a fix
> in 5.5.25.
>
For CVE 3382, the fix appears to be in 5.5.x HEAD (rev 559280 and rev
557468) and 6.0.x HEAD (rev 557467) -- These checkins were committed
around July 19th. These checkins may also apply to CVE-3385 but I'm
still researching.
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java?view=log
http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/http/Cookies.java?view=log
-John
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2007-3382: Handling of cookies containing a ' character
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Christopher,
Christopher Schultz wrote:
>> Versions Affected:
>> 5.5.0 to 5.5.24
>
> Since 5.5.24 isn't yet released, will an upcoming 5.5.24 release include
> a fix for this problem given:
Filip asked about interest in a 5.5.25. The plan at this point in time
is to tag a new release at the end of the week. 5.5.24 as a version
number was already used (but not released) and we won't reroll a new
tarball with a version number, that was already used before.
Until now I didn't notice a commited fix for the cookie problem, but
Mark or Filip might comment whether there are plans to include a fix in
5.5.25.
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2007-3382: Handling of cookies containing a ' character
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
Mark Thomas wrote:
> CVE-2007-3382: Handling of cookies containing a ' character
>
> Versions Affected:
> 5.5.0 to 5.5.24
Since 5.5.24 isn't yet released, will an upcoming 5.5.24 release include
a fix for this problem given:
> Mitigation:
> Upgrade to 6.0.14
?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGwc+29CaO5/Lv0PARAug2AJ98oeF8HRLiXIqqzDEazknml6N/pwCgiNkO
+SIMwuOKQWDG0lkT1okzO7I=
=6jSG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org