Author: markt
Date: Wed Jun 3 13:58:22 2009
New Revision: 781379
URL: http://svn.apache.org/viewvc?rev=781379&view=rev
Log:
Fix NPE / information disclosure issue that allowed user enumeration with FORM
auth.
This is CVE-2009-0580.
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java?rev=781379&r1=781378&r2=781379&view=diff
==============================================================================
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
Wed Jun 3 13:58:22 2009
@@ -270,8 +270,9 @@
*/
public Principal authenticate(String username, String credentials) {
- // No user - can't possibly authenticate, don't bother the database then
- if (username == null) {
+ // No user or no credentials
+ // Can't possibly authenticate, don't bother the database then
+ if (username == null || credentials == null) {
return null;
}
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java?rev=781379&r1=781378&r2=781379&view=diff
==============================================================================
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
Wed Jun 3 13:58:22 2009
@@ -393,9 +393,10 @@
String username,
String credentials) {
- // No user - can't possibly authenticate
- if (username == null) {
- return (null);
+ // No user or no credentials
+ // Can't possibly authenticate, don't bother the database then
+ if (username == null || credentials == null) {
+ return null;
}
// Look up the user's credentials
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java?rev=781379&r1=781378&r2=781379&view=diff
==============================================================================
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
Wed Jun 3 13:58:22 2009
@@ -147,7 +147,7 @@
(GenericPrincipal) principals.get(username);
boolean validated = false;
- if (principal != null) {
+ if (principal != null && credentials != null) {
if (hasMessageDigest()) {
// Hex hashes should be compared case-insensitive
validated = (digest(credentials)
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=781379&r1=781378&r2=781379&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Wed Jun 3 13:58:22 2009
@@ -76,6 +76,11 @@
logging at the context level but the security policy prevents this.
(markt/rjung)
</fix>
+ <fix>
+ Fix an information disclosure vulnerability in a number of the Realms
+ that allowed user enumeration when using FORM authentication. This is
+ CVE-2009-0580. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
