ID CVE-2007-0450
Summary Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server
    cpe:2.3:a:apache:http_server
  • Apache Software Foundation Tomcat 5.0.0
    cpe:2.3:a:apache:tomcat:5.0.0
  • Apache Software Foundation Tomcat 5.0.1
    cpe:2.3:a:apache:tomcat:5.0.1
  • Apache Software Foundation Tomcat 5.0.2
    cpe:2.3:a:apache:tomcat:5.0.2
  • Apache Software Foundation Tomcat 5.0.3
    cpe:2.3:a:apache:tomcat:5.0.3
  • Apache Software Foundation Tomcat 5.0.4
    cpe:2.3:a:apache:tomcat:5.0.4
  • Apache Software Foundation Tomcat 5.0.5
    cpe:2.3:a:apache:tomcat:5.0.5
  • Apache Software Foundation Tomcat 5.0.6
    cpe:2.3:a:apache:tomcat:5.0.6
  • Apache Software Foundation Tomcat 5.0.7
    cpe:2.3:a:apache:tomcat:5.0.7
  • Apache Software Foundation Tomcat 5.0.8
    cpe:2.3:a:apache:tomcat:5.0.8
  • Apache Software Foundation Tomcat 5.0.9
    cpe:2.3:a:apache:tomcat:5.0.9
  • Apache Software Foundation Tomcat 5.0.10
    cpe:2.3:a:apache:tomcat:5.0.10
  • Apache Software Foundation Tomcat 5.0.11
    cpe:2.3:a:apache:tomcat:5.0.11
  • Apache Software Foundation Tomcat 5.0.12
    cpe:2.3:a:apache:tomcat:5.0.12
  • Apache Software Foundation Tomcat 5.0.13
    cpe:2.3:a:apache:tomcat:5.0.13
  • Apache Software Foundation Tomcat 5.0.14
    cpe:2.3:a:apache:tomcat:5.0.14
  • Apache Software Foundation Tomcat 5.0.15
    cpe:2.3:a:apache:tomcat:5.0.15
  • Apache Software Foundation Tomcat 5.0.16
    cpe:2.3:a:apache:tomcat:5.0.16
  • Apache Software Foundation Tomcat 5.0.17
    cpe:2.3:a:apache:tomcat:5.0.17
  • Apache Software Foundation Tomcat 5.0.18
    cpe:2.3:a:apache:tomcat:5.0.18
  • Apache Software Foundation Tomcat 5.0.19
    cpe:2.3:a:apache:tomcat:5.0.19
  • Apache Software Foundation Tomcat 5.0.21
    cpe:2.3:a:apache:tomcat:5.0.21
  • Apache Software Foundation Tomcat 5.0.22
    cpe:2.3:a:apache:tomcat:5.0.22
  • Apache Software Foundation Tomcat 5.0.23
    cpe:2.3:a:apache:tomcat:5.0.23
  • Apache Software Foundation Tomcat 5.0.24
    cpe:2.3:a:apache:tomcat:5.0.24
  • Apache Software Foundation Tomcat 5.0.25
    cpe:2.3:a:apache:tomcat:5.0.25
  • Apache Software Foundation Tomcat 5.0.26
    cpe:2.3:a:apache:tomcat:5.0.26
  • Apache Software Foundation Tomcat 5.0.27
    cpe:2.3:a:apache:tomcat:5.0.27
  • Apache Software Foundation Tomcat 5.0.28
    cpe:2.3:a:apache:tomcat:5.0.28
  • Apache Software Foundation Tomcat 5.0.29
    cpe:2.3:a:apache:tomcat:5.0.29
  • Apache Software Foundation Tomcat 5.0.30
    cpe:2.3:a:apache:tomcat:5.0.30
  • Apache Software Foundation Tomcat 5.5.0
    cpe:2.3:a:apache:tomcat:5.5.0
  • Apache Software Foundation Tomcat 5.5.1
    cpe:2.3:a:apache:tomcat:5.5.1
  • Apache Software Foundation Tomcat 5.5.2
    cpe:2.3:a:apache:tomcat:5.5.2
  • Apache Software Foundation Tomcat 5.5.3
    cpe:2.3:a:apache:tomcat:5.5.3
  • Apache Software Foundation Tomcat 5.5.4
    cpe:2.3:a:apache:tomcat:5.5.4
  • Apache Software Foundation Tomcat 5.5.5
    cpe:2.3:a:apache:tomcat:5.5.5
  • Apache Software Foundation Tomcat 5.5.6
    cpe:2.3:a:apache:tomcat:5.5.6
  • Apache Software Foundation Tomcat 5.5.7
    cpe:2.3:a:apache:tomcat:5.5.7
  • Apache Software Foundation Tomcat 5.5.8
    cpe:2.3:a:apache:tomcat:5.5.8
  • Apache Software Foundation Tomcat 5.5.9
    cpe:2.3:a:apache:tomcat:5.5.9
  • Apache Software Foundation Tomcat 5.5.10
    cpe:2.3:a:apache:tomcat:5.5.10
  • Apache Software Foundation Tomcat 5.5.11
    cpe:2.3:a:apache:tomcat:5.5.11
  • Apache Software Foundation Tomcat 5.5.12
    cpe:2.3:a:apache:tomcat:5.5.12
  • Apache Software Foundation Tomcat 5.5.13
    cpe:2.3:a:apache:tomcat:5.5.13
  • Apache Software Foundation Tomcat 5.5.14
    cpe:2.3:a:apache:tomcat:5.5.14
  • Apache Software Foundation Tomcat 5.5.15
    cpe:2.3:a:apache:tomcat:5.5.15
  • Apache Software Foundation Tomcat 5.5.16
    cpe:2.3:a:apache:tomcat:5.5.16
  • Apache Software Foundation Tomcat 5.5.17
    cpe:2.3:a:apache:tomcat:5.5.17
  • Apache Software Foundation Tomcat 5.5.18
    cpe:2.3:a:apache:tomcat:5.5.18
  • Apache Software Foundation Tomcat 5.5.19
    cpe:2.3:a:apache:tomcat:5.5.19
  • Apache Software Foundation Tomcat 5.5.20
    cpe:2.3:a:apache:tomcat:5.5.20
  • Apache Software Foundation Tomcat 5.5.21
    cpe:2.3:a:apache:tomcat:5.5.21
  • Apache Software Foundation Tomcat 6.0.0
    cpe:2.3:a:apache:tomcat:6.0.0
  • Apache Software Foundation Tomcat 6.0.0 alpha
    cpe:2.3:a:apache:tomcat:6.0.0:alpha
  • Apache Software Foundation Tomcat 6.0.1
    cpe:2.3:a:apache:tomcat:6.0.1
  • Apache Software Foundation Tomcat 6.0.1 alpha
    cpe:2.3:a:apache:tomcat:6.0.1:alpha
  • Apache Software Foundation Tomcat 6.0.2
    cpe:2.3:a:apache:tomcat:6.0.2
  • Apache Software Foundation Tomcat 6.0.2 alpha
    cpe:2.3:a:apache:tomcat:6.0.2:alpha
  • Apache Software Foundation Tomcat 6.0.2 beta
    cpe:2.3:a:apache:tomcat:6.0.2:beta
  • Apache Software Foundation Tomcat 6.0.3
    cpe:2.3:a:apache:tomcat:6.0.3
  • Apache Software Foundation Tomcat 6.0.4
    cpe:2.3:a:apache:tomcat:6.0.4
  • Apache Software Foundation Tomcat 6.0.4 alpha
    cpe:2.3:a:apache:tomcat:6.0.4:alpha
  • Apache Software Foundation Tomcat 6.0.5
    cpe:2.3:a:apache:tomcat:6.0.5
  • Apache Software Foundation Tomcat 6.0.6
    cpe:2.3:a:apache:tomcat:6.0.6
  • Apache Software Foundation Tomcat 6.0.6 alpha
    cpe:2.3:a:apache:tomcat:6.0.6:alpha
  • Apache Software Foundation Tomcat 6.0.7
    cpe:2.3:a:apache:tomcat:6.0.7
  • Apache Software Foundation Tomcat 6.0.7 alpha
    cpe:2.3:a:apache:tomcat:6.0.7:alpha
  • Apache Software Foundation Tomcat 6.0.7 beta
    cpe:2.3:a:apache:tomcat:6.0.7:beta
  • Apache Software Foundation Tomcat 6.0.8
    cpe:2.3:a:apache:tomcat:6.0.8
  • Apache Software Foundation Tomcat 6.0.8 alpha
    cpe:2.3:a:apache:tomcat:6.0.8:alpha
  • Apache Software Foundation Tomcat 6.0.9
    cpe:2.3:a:apache:tomcat:6.0.9
  • Apache Software Foundation Tomcat 6.0.9 beta
    cpe:2.3:a:apache:tomcat:6.0.9:beta
CVSS
Base: 5.0 (as of 19-03-2007 - 11:34)
Impact:
Exploitability:
CWE CWE-22
CAPEC
  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
exploit-db via4
description Apache HTTP Server Tomcat 5.x/6.0.x Directory Traversal Vulnerability. CVE-2007-0450. Remote exploit for linux platform
id EDB-ID:29739
last seen 2016-02-03
modified 2007-03-14
published 2007-03-14
reporter D. Matscheko
source https://www.exploit-db.com/download/29739/
title Apache HTTP Server Tomcat 5.x/6.0.x - Directory Traversal Vulnerability
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-007.NASL
    description The remote host is running a version of Mac OS X 10.4 or 10.3 which does not have the security update 2007-007 applied. This update contains several security fixes for the following programs : - bzip2 - CFNetwork - CoreAudio - cscope - gnuzip - iChat - Kerberos - mDNSResponder - PDFKit - PHP - Quartz Composer - Samba - SquirrelMail - Tomcat - WebCore - WebKit
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 25830
    published 2007-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25830
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-007)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_TOMCAT5-3951.NASL
    description Certain characters of the URL were not properly filtered. This allowed directory reverse traversal attacks to access the web-root of tomcat. (CVE-2007-0450)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29592
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29592
    title SuSE 10 Security Update : Tomcat 5 (ZYPP Patch Number 3951)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200705-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-200705-03 (Tomcat: Information disclosure) Tomcat allows special characters like slash, backslash or URL-encoded backslash as a separator, while Apache does not. Impact : A remote attacker could send a specially crafted URL to the vulnerable Tomcat server, possibly resulting in a directory traversal and read access to arbitrary files with the privileges of the user running Tomcat. Note that this vulnerability can only be exploited when using apache proxy modules like mod_proxy, mod_rewrite or mod_jk. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 25133
    published 2007-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25133
    title GLSA-200705-03 : Tomcat: Information disclosure
  • NASL family Web Servers
    NASL id TOMCAT_4_1_36.NASL
    description According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is prior to 4.1.36. It is, therefore, affected by the following vulnerabilities : - Requests containing multiple 'content-length' headers are not rejected as invalid. This error can allow web-cache poisoning, cross-site scripting attacks and information disclosure. (CVE-2005-2090) - An input sanitization error exists that can allow disclosure of sensitive information via directory traversal. This vulnerability is exposed when the server is configured to use the 'Proxy' module. (CVE-2007-0450) - 'Accept-Language' headers are not validated properly, which can allow cross-site scripting attacks. (CVE-2007-1358) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-08-01
    plugin id 17726
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17726
    title Apache Tomcat 4.x < 4.1.36 Multiple Vulnerabilities
  • NASL family Web Servers
    NASL id TOMCAT_6_0_10.NASL
    description According to its self-reported version number, the Apache Tomcat instance listening on the remote host is prior to 6.0.10. It is, therefore, affected by the following vulnerability : - A directory traversal vulnerability exists in Tomcat due to improper handling of certain path delimiters when behind a proxy. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-11
    plugin id 121112
    published 2019-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121112
    title Apache Tomcat < 6.0.10 Directory Traversal
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_872623AF39EC11DCB8CC000FEA449B8A.NASL
    description Apache Project reports : The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.36 stable. This build contains numerous library updates, A small number of bug fixes and two important security fixes.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25784
    published 2007-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25784
    title FreeBSD : tomcat -- multiple vulnerabilities (872623af-39ec-11dc-b8cc-000fea449b8a)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0327.NASL
    description From Red Hat Security Advisory 2007:0327 : Updated tomcat packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090) Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450) The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195) Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67487
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67487
    title Oracle Linux 5 : tomcat (ELSA-2007-0327)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0327.NASL
    description Updated tomcat packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090) Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450) The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195) Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25329
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25329
    title RHEL 5 : tomcat (RHSA-2007:0327)
  • NASL family Web Servers
    NASL id TOMCAT_PROXY_DIRECTORY_TRAVERSAL.NASL
    description The remote web server proxies certain requests to an Apache Tomcat server and allows directory traversal attacks due to Tomcat allowing '/', '\', and '%5c' characters as directory separators. By sending a specially crafted request, it is possible for an attacker to break out of the given context and access web applications that may not otherwise be proxied to the Tomcat web server.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 43623
    published 2010-01-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43623
    title Apache Tomcat Directory Traversal
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070717_TOMCAT_ON_SL5_X.NASL
    description Some JSPs within the 'examples' web application did not escape user provided data. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks (CVE-2007-2449). Note: it is recommended the 'examples' web application not be installed on a production system. The Manager and Host Manager web applications did not escape user provided data. If a user is logged in to the Manager or Host Manager web application, an attacker could perform a cross-site scripting attack (CVE-2007-2450). Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090) Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450) The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195)
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60227
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60227
    title Scientific Linux Security Update : tomcat on SL5.x i386/x86_64
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2008-0002.NASL
    description Updated VirtualCenter fixes the following application vulnerabilities a. Tomcat Server Security Update This release of VirtualCenter Server updates the Tomcat Server package from 5.5.17 to 5.5.25, which addresses multiple security issues that existed in the earlier releases of Tomcat Server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2090, CVE-2006-7195, and CVE-2007-0450 to these issues. b. JRE Security Update This release of VirtualCenter Server updates the JRE package from 1.5.0_7 to 1.5.0_12, which addresses a security issue that existed in the earlier release of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-3004 to this issue. NOTE: These vulnerabilities can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 40373
    published 2009-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40373
    title VMSA-2008-0002 : Low severity security update for VirtualCenter and ESX
  • NASL family SuSE Local Security Checks
    NASL id SUSE_TOMCAT5-3950.NASL
    description Certain characters of the URL were not properly filtered. This allowed directory reverse traversal attacks to access the web-root of tomcat. (CVE-2007-0450)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27471
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27471
    title openSUSE 10 Security Update : tomcat5 (tomcat5-3950)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0524.NASL
    description Red Hat Network Satellite Server version 4.2.3 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components. This update has been rated as having low security impact by the Red Hat Security Response Team. This release corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server 4.2. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments. Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388) A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349) A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329) Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306) Multiple flaws were fixed in the IBM Java 1.4.2 Runtime. (CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789) Multiple flaws were fixed in the OpenMotif package. (CVE-2004-0687, CVE-2004-0688, CVE-2004-0914, CVE-2005-3964, CVE-2005-0605) A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898) Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510) Users of Red Hat Network Satellite Server 4.2 are advised to upgrade to 4.2.3, which resolves these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 43837
    published 2010-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43837
    title RHEL 3 / 4 : Satellite Server (RHSA-2008:0524)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0327.NASL
    description Updated tomcat packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090) Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450) The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195) Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25223
    published 2007-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25223
    title CentOS 5 : tomcat (CESA-2007:0327)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1069.NASL
    description Updated tomcat packages that fix multiple security issues are now available for Red Hat Network Satellite Server. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. It was reported Tomcat did not properly handle the following character sequence in a cookie: \' (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385). Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382). The default Tomcat configuration permitted the use of insecure SSL cipher suites including the anonymous cipher suite. (CVE-2007-1858) Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450) Directory listings were enabled by default in Tomcat. Information stored unprotected under the document root was visible to anyone if the administrator did not disable directory listings. (CVE-2006-3835) It was found that generating listings of large directories was CPU intensive. An attacker could make repeated requests to obtain a directory listing of any large directory, leading to a denial of service. (CVE-2005-3510) Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090) Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues, and add the tyrex and jakarta-commons-pool packages which are required dependencies of the new Tomcat version.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 43834
    published 2010-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43834
    title RHEL 3 / 4 : tomcat in Satellite Server (RHSA-2007:1069)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0261.NASL
    description Red Hat Network Satellite Server version 5.0.2 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components. This update has been rated as having moderate security impact by the Red Hat Security Response Team. During an internal security review, a cross-site scripting flaw was found that affected the Red Hat Network channel search feature. (CVE-2007-5961) This release also corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments. Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388) A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349) A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329) Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306) Multiple flaws were fixed in the IBM Java 1.4.2 Runtime. (CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789) Two arbitrary code execution flaws were fixed in the OpenMotif package. (CVE-2005-3964, CVE-2005-0605) A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898) Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510) Users of Red Hat Network Satellite Server 5.0 are advised to upgrade to 5.0.2, which resolves these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 43835
    published 2010-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43835
    title RHEL 4 : Satellite Server (RHSA-2008:0261)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-241.NASL
    description A number of vulnerabilities were found in Tomcat : A directory traversal vulnerability, when using certain proxy modules, allows a remote attacker to read arbitrary files via a .. (dot dot) sequence with various slash, backslash, or url-encoded backslash characters (CVE-2007-0450; affects Mandriva Linux 2007.1 only). Multiple cross-site scripting vulnerabilities in certain JSP files allow remote attackers to inject arbitrary web script or HTML (CVE-2007-2449). Multiple cross-site scripting vulnerabilities in the Manager and Host Manager web applications allow remote authenticated users to inject arbitrary web script or HTML (CVE-2007-2450). Tomcat treated single quotes as delimiters in cookies, which could cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks (CVE-2007-3382). Tomcat did not properly handle the ' character sequence in a cookie value, which could cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks (CVE-2007-3385). A cross-site scripting vulnerability in the Host Manager servlet allowed remote attackers to inject arbitrary HTML and web script via crafted attacks (CVE-2007-3386). Finally, an absolute path traversal vulnerability, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag (CVE-2007-5461). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 38147
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38147
    title Mandrake Linux Security Advisory : tomcat5 (MDKSA-2007:241)
oval via4
accepted 2013-04-29T04:07:21.105-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
family unix
id oval:org.mitre.oval:def:10643
status accepted
submitted 2010-07-09T03:56:16-04:00
title Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
version 18
packetstorm via4
data source https://packetstormsecurity.com/files/download/55163/SA-20070314-0.txt
id PACKETSTORM:55163
last seen 2016-12-05
published 2007-03-20
reporter D. Matscheko
source https://packetstormsecurity.com/files/55163/SA-20070314-0.txt.html
title SA-20070314-0.txt
redhat via4
advisories
  • rhsa
    id RHSA-2007:0327
  • rhsa
    id RHSA-2007:0360
  • rhsa
    id RHSA-2008:0261
rpms
  • tomcat5-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-admin-webapps-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-common-lib-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-jasper-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-jasper-javadoc-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-jsp-2.0-api-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-server-lib-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-servlet-2.4-api-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-webapps-0:5.5.23-0jpp.1.0.3.el5
  • jakarta-commons-modeler-0:1.1-8jpp.1.0.2.el5
  • jakarta-commons-modeler-javadoc-0:1.1-8jpp.1.0.2.el5
refmap via4
apple APPLE-SA-2007-07-31
bid
  • 22960
  • 25159
bugtraq
  • 20070314 SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversal
  • 20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1
  • 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
  • 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
confirm
gentoo GLSA-200705-03
hp
  • HPSBUX02262
  • SSRT071447
mandriva MDKSA-2007:241
misc
mlist [Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1
secunia
  • 24732
  • 25106
  • 25280
  • 26235
  • 26660
  • 27037
  • 28365
  • 30899
  • 30908
  • 33668
sreason 2446
sunalert 239312
suse
  • SUSE-SR:2007:005
  • SUSE-SR:2007:015
vupen
  • ADV-2007-0975
  • ADV-2007-2732
  • ADV-2007-3087
  • ADV-2007-3386
  • ADV-2008-0065
  • ADV-2008-1979
  • ADV-2009-0233
xf tomcat-proxy-directory-traversal(32988)
Last major update 07-03-2011 - 21:49
Published 16-03-2007 - 18:19
Last modified 21-03-2019 - 11:38
Back to Top