Author: markt
Date: Wed Jun 3 14:02:06 2009
New Revision: 781382
URL: http://svn.apache.org/viewvc?rev=781382&view=rev
Log:
Fix NPE / information disclosure issue that allowed user enumeration with FORM
auth.
This is CVE-2009-0580.
Modified:
tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL:
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=781382&r1=781381&r2=781382&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Wed Jun 3 14:02:06
2009
@@ -1753,6 +1753,11 @@
Fix typo in French localisation file name for the
org.apache.catalina.loader package.
+[4.1.40] Realms
+ Fix information disclosure vulnerability that permitted user
+ enumeration when using FORM authentication.
+ This is CVE-2009-0580.
+
----------------
Coyote Bug Fixes:
Modified:
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java?rev=781382&r1=781381&r2=781382&view=diff
==============================================================================
---
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
(original)
+++
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
Wed Jun 3 14:02:06 2009
@@ -270,8 +270,9 @@
*/
public Principal authenticate(String username, String credentials) {
- // No user - can't possibly authenticate, don't bother the database
then
- if (username == null) {
+ // No user or no credentials
+ // Can't possibly authenticate, don't bother the database then
+ if (username == null || credentials == null) {
return null;
}
Modified:
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java?rev=781382&r1=781381&r2=781382&view=diff
==============================================================================
---
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
(original)
+++
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
Wed Jun 3 14:02:06 2009
@@ -391,10 +391,10 @@
String username,
String credentials) {
-
- // No user - can't possibly authenticate
- if (username == null) {
- return (null);
+ // No user or no credentials
+ // Can't possibly authenticate, don't bother the database then
+ if (username == null || credentials == null) {
+ return null;
}
// Look up the user's credentials
Modified:
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java?rev=781382&r1=781381&r2=781382&view=diff
==============================================================================
---
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
(original)
+++
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
Wed Jun 3 14:02:06 2009
@@ -144,7 +144,7 @@
(GenericPrincipal) principals.get(username);
boolean validated = false;
- if (principal != null) {
+ if (principal != null && credentials != null) {
if (hasMessageDigest()) {
// Hex hashes should be compared case-insensitive
validated = (digest(credentials)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
