漏洞起因
设计错误
影响系统
Apache Software Foundation Tomcat 6.0.18
Apache Software Foundation Tomcat 6.0.16
Apache Software Foundation Tomcat 6.0.15
Apache Software Foundation Tomcat 6.0.14
Apache Software Foundation Tomcat 6.0.13
Apache Software Foundation Tomcat 6.0.12
Apache Software Foundation Tomcat 6.0.11
Apache Software Foundation Tomcat 6.0.10
Apache Software Foundation Tomcat 6.0.9
Apache Software Foundation Tomcat 6.0.8
Apache Software Foundation Tomcat 6.0.7
Apache Software Foundation Tomcat 6.0.6
Apache Software Foundation Tomcat 6.0.5
Apache Software Foundation Tomcat 6.0.4
Apache Software Foundation Tomcat 6.0.3
Apache Software Foundation Tomcat 6.0.2
Apache Software Foundation Tomcat 6.0.1
Apache Software Foundation Tomcat 6.0
Apache Software Foundation Tomcat 5.5.27
Apache Software Foundation Tomcat 5.5.26
Apache Software Foundation Tomcat 5.5.25
Apache Software Foundation Tomcat 5.5.24
Apache Software Foundation Tomcat 5.5.23
Apache Software Foundation Tomcat 5.5.22
Apache Software Foundation Tomcat 5.5.21
Apache Software Foundation Tomcat 5.5.20
Apache Software Foundation Tomcat 5.5.20
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
Apache Software Foundation Tomcat 5.5.19
Apache Software Foundation Tomcat 5.5.18
Apache Software Foundation Tomcat 5.5.17
Apache Software Foundation Tomcat 5.5.17
Apache Software Foundation Tomcat 5.5.16
Apache Software Foundation Tomcat 5.5.15
Apache Software Foundation Tomcat 5.5.14
Apache Software Foundation Tomcat 5.5.13
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation Tomcat 5.5.9
Apache Software Foundation Tomcat 5.5.9
Apache Software Foundation Tomcat 5.5.8
Apache Software Foundation Tomcat 5.5.8
Apache Software Foundation Tomcat 5.5.7
Apache Software Foundation Tomcat 5.5.7
Apache Software Foundation Tomcat 5.5.6
Apache Software Foundation Tomcat 5.5.6
Apache Software Foundation Tomcat 5.5.5
Apache Software Foundation Tomcat 5.5.5
Apache Software Foundation Tomcat 5.5.4
Apache Software Foundation Tomcat 5.5.4
Apache Software Foundation Tomcat 5.5.3
Apache Software Foundation Tomcat 5.5.3
Apache Software Foundation Tomcat 5.5.2
Apache Software Foundation Tomcat 5.5.2
Apache Software Foundation Tomcat 5.5.1
Apache Software Foundation Tomcat 5.5.1
Apache Software Foundation Tomcat 5.5
Apache Software Foundation Tomcat 5.5
Apache Software Foundation Tomcat 4.1.39
Apache Software Foundation Tomcat 4.1.38
Apache Software Foundation Tomcat 4.1.37
Apache Software Foundation Tomcat 4.1.36
Apache Software Foundation Tomcat 4.1.36
Apache Software Foundation Tomcat 4.1.35
Apache Software Foundation Tomcat 4.1.34
Apache Software Foundation Tomcat 4.1.34
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
Apache Software Foundation Tomcat 4.1.32
Apache Software Foundation Tomcat 4.1.31
Apache Software Foundation Tomcat 4.1.30
Apache Software Foundation Tomcat 4.1.29
Apache Software Foundation Tomcat 4.1.28
Apache Software Foundation Tomcat 4.1.24
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
Apache Software Foundation Tomcat 4.1.12
Apache Software Foundation Tomcat 4.1.10
Apache Software Foundation Tomcat 4.1.9 beta
Apache Software Foundation Tomcat 4.1.3 beta
Apache Software Foundation Tomcat 4.1.3
Apache Software Foundation Tomcat 4.1
Apache Software Foundation Tomcat 4.1
– BSDI BSD/OS 4.0
– Caldera OpenLinux 2.4
– Conectiva Linux 5.1
– Debian Linux 2.3
– Debian Linux 2.2
– Debian Linux 2.1
– Digital UNIX 4.0
– FreeBSD FreeBSD 5.0
– FreeBSD FreeBSD 4.5
– MandrakeSoft Linux Mandrake 7.1
– MandrakeSoft Linux Mandrake 7.0
– NetBSD NetBSD 1.4.2 x86
– NetBSD NetBSD 1.4.1 x86
– RedHat Linux 6.2 i386
– RedHat Linux 6.1 i386
– SGI IRIX 6.5
– SGI IRIX 6.4
– SGI IRIX 3.3
– Sun Solaris 8
– Sun Solaris 7.0
不受影响系统
Apache Software Foundation Tomcat 6.0.20
Apache Software Foundation Tomcat 5.5.28
Apache Software Foundation Tomcat 4.1.40
危害
远程攻击者可以利用漏洞获得敏感信息。
攻击所需条件
攻击者必须访问Apache Tomcat。
漏洞信息
Apache Tomcat是一款开放源码的JSP应用服务器程序。
Apache Tomcat对部分验证类错误检查不充分,远程攻击者可以利用漏洞枚举用户,获得敏感信息。
通过提交非法URL编码的密码,根据返回不同可获得用户是否存在的敏感信息。
测试方法
POST /j_security_check HTTP/1.1
Host: www.example.com
j_username=tomcat&j_password=%
厂商解决方案
可联系供应商获得升级程序:
http://svn.apache.org/viewvc?view=rev&revision=747840
http://svn.apache.org/viewvc?view=rev&revision=781379
http://svn.apache.org/viewvc?view=rev&revision=781382
漏洞提供者
D. Matscheko and T. Hackner of SEC Consult
0 条评论。