On 22 February 2016 at 11:23, Mark Thomas <ma...@apache.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > CVE-2015-5345 Apache Tomcat Directory disclosure > > Severity: Low > > Vendor: The Apache Software Foundation > > Versions Affected: > - - Apache Tomcat 6.0.0 to 6.0.44 > - - Apache Tomcat 7.0.0 to 7.0.66 > - - Apache Tomcat 8.0.0.RC1 to 8.0.29 > - - Apache Tomcat 9.0.0.M1 > - - Earlier, unsupported Tomcat versions may be affected > > Description: > When accessing a directory protected by a security constraint with a URL > that did not end in a slash, Tomcat would redirect to the URL with the > trailing slash thereby confirming the presence of the directory before > processing the security constraint. It was therefore possible for a user > to determine if a directory existed or not, even if the user was not > permitted to view the directory. The issue also occurred at the root of > a web application in which case the presence of the web application was > confirmed, even if a user did not have access. > > The solution was to implement the redirect in the DefaultServlet so that > any security constraints and/or security enforcing Filters were > processed before the redirect. The Tomcat team recognised that moving > the redirect could cause regressions to two new Context configuration
s/to two/so two/ ? > options (mapperContextRootRedirectEnabled and > mapperDirectoryRedirectEnabled) were introduced. The initial default was > false for both since this was more secure. However, due to regressions > such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled > was later changed to true since it was viewed that the regression was > more serious than the security risk of associated with being able to > determine if a web application was deployed at a given path. > > Mitigation: > Users of affected versions should apply one of the following mitigations > - - Upgrade to Apache Tomcat 9.0.0.M3 or later > (9.0.0.M2 has the fix but was not released) > - - Upgrade to Apache Tomcat 8.0.30 or later > - - Upgrade to Apache Tomcat 7.0.67 or later > - - Upgrade to Apache Tomcat 6.0.45 or later > > > Credit: > This issue was discovered by Mark Koek of QCSec. > > References: > [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765 > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html > [4] http://tomcat.apache.org/security-7.html > [5] http://tomcat.apache.org/security-6.html > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO > A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB > Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN > DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj > Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw > gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8 > kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO > zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik > t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ > WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj > Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e > HnSzWGDdd63z0ixY0g2I > =6UrH > -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
