CERT-In Vulnerability Note CIVN-2008-117
Apache Tomcat 'RequestDispatcher' Information Disclosure Vulnerability

Original Issue Date: August 06, 2008

Severity Rating: High

System Affected

• Apache Tomcat 4.1.0 to 4.1.37
• Apache Tomcat 5.5.0 to 5.5.25
• Apache Tomcat 6.0.0 to 6.0.16

Overview

A vulnerability has been reported in Apache Tomcat, which can be exploited by a remote attacker to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.

Description

This vulnerability is caused due to an input validation error while using a RequestDispatcher . When using the HTTP ' RequestDispatcher ' the target path was normalized before the query string was removed. A remote attacker can exploit this issue by sending a request which includes a specially crafted request parameter, to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

Solutions

• For Apache Tomcat 4.1.x, this issue is fixed in Apache Tomcat 4.1.SVN
• For Apache Tomcat 5.5.x , this issue is fixed in Apache Tomcat 5.5.SVN
• Users of Apache Tomcat 6.0.x may upgrade to 6.0.18

Vendor Information

Apache Tomcat
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html

References

FrSIRT
http://www.frsirt.com/english/Reference-CVE-2008-2370.php

SecurityFocus
http://www.securityfocus.com/archive/1/495022 http://www.securityfocus.com/bid/30494/info

Juniper Networks http://www.juniper.net/security/auto/vulnerabilities/vuln30494.html

CVE Name
CVE-2008-2370

CWE Name
CWE-22

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003