The United States Computer Emergency Response Team (US-CERT) has raised an alarm for a serious vulnerability in Apache Tomcat, warning that a proof-of-concept exploit is publicly available.
The code, posted to Milw0rm.com, exploits a directory traversal vulnerability vulnerability in the way Apache Tomcat handles malformed requests.
From the advisory:
- If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files on the server.
The vulnerability (CVE-2008-2938) affects Apache Tomcat versions 4.1.0-4.1.37, 5.5.0-5.5.26, and 6.0.0-6.0.16.
The open-source group has shipped a fix in Apache Tomcat 6.0.18, an update that also fixes three additional security issues:
CVE-2008-1232 (cross-site scripting): The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument. This affects 6.0.0 - 6.0.16
CVE-2008-1947 (cross-site scripting): The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.
CVE-2008-2370 (information disclosure): When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. This affects: 6.0.0 - 6.0.16.