Apache HTTP Server Tomcat Directory Traversal Vulnerability

Bugtraq ID:	22960
Class:	Input Validation Error
CVE:	CVE-2007-0450
Remote:	Yes
Local:	No
Published:	Mar 14 2007 12:00AM
Updated:	Aug 05 2010 08:45PM
Credit:	D. Matscheko is credited with the discovery of this vulnerability. <br>
Vulnerable:	VMWare VirtualCenter Management Server 2 VMWare ESX Server 3.0.2 VMWare ESX Server 3.0.1 SuSE SUSE Linux Enterprise Server SDK 9 SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 Sun Solaris 9_x86 Sun Solaris 9_sparc Sun Solaris 10_x86 Sun Solaris 10_sparc S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 x86_64 S.u.S.E. Linux Personal 9.3 S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc RedHat Network Satellite (for RHEL 4) 4.2 RedHat Enterprise Linux Virtualization 5 server RedHat Enterprise Linux Optional Productivity Application 5 server RedHat Enterprise Linux Hardware Certification 5 RedHat Enterprise Linux Desktop Workstation 5 client RedHat Enterprise Linux Desktop Multi OS 5 client RedHat Enterprise Linux Clustering 5 server RedHat Enterprise Linux Cluster-Storage 5 server RedHat Certificate Server 7.3 Red Hat Red Hat Network Satellite Server 5.0 Red Hat Red Hat Network Satellite Server 4.2 Red Hat Red Hat Network Satellite Server 4.1 Red Hat Red Hat Network Satellite Server 4.0 Red Hat Network Satellite (for RHEL 3) 4.2 Red Hat Enterprise Linux Supplementary 5 server Red Hat Enterprise Linux Desktop Supplementary 5 client Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux 5 Server Mandriva Linux Mandrake 2008.0 x86_64 Mandriva Linux Mandrake 2008.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo Linux Fujitsu INTERSTAGE Studio Standard-J Edition 9.0 Fujitsu INTERSTAGE Studio Standard-J Edition 8.0.1 Fujitsu INTERSTAGE Studio Enterprise Edition 9.0 Fujitsu INTERSTAGE Studio Enterprise Edition 8.0.1 Fujitsu INTERSTAGE Job Workload Server 8.1 Fujitsu INTERSTAGE Business Application Server Enterprise 8.0.0 Fujitsu INTERSTAGE Apworks Modelers-J Edition 7.0 Fujitsu INTERSTAGE Apworks Modelers-J Edition 6.0A Fujitsu INTERSTAGE Apworks Modelers-J Edition 6.0 Fujitsu INTERSTAGE Application Server Standard-J Edition 9.0 Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0.3 Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0.2 Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0 Fujitsu INTERSTAGE Application Server Plus Developer 6.0 Fujitsu Interstage Application Server Plus 7.0 Fujitsu INTERSTAGE Application Server Enterprise Edition 9.0 Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0.3 Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0.2 Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0 Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0.1 Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0 Fujitsu INTERSTAGE Application Server Enterprise Edition 6.0 Computer Associates Cohesion Application Configuration Manager 4.5 Avaya Aura Application Enablement Services 4.0 Avaya Aura Application Enablement Services 3.1 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.3.9 Apple Mac OS X 10.4.10 Apple Mac OS X 10.3.9 Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 5.5.22 Apache Software Foundation Tomcat 5.5.21 Apache Software Foundation Tomcat 5.5.20 Apache Software Foundation Tomcat 5.5.19 Apache Software Foundation Tomcat 5.5.18 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.16 Apache Software Foundation Tomcat 5.5.15 Apache Software Foundation Tomcat 5.5.14 Apache Software Foundation Tomcat 5.5.13 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 5.4 Apache Software Foundation Tomcat 5.3 Apache Software Foundation Tomcat 5.2 Apache Software Foundation Tomcat 5.1 Apache Software Foundation Tomcat 5.0
Not Vulnerable:	Computer Associates Cohesion Application Configuration Manager 4.5 SP1 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 5.5.23

Apache HTTP Server Tomcat Directory Traversal Vulnerability

Apache HTTP servers running with the Tomcat servlet container are prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue allows attackers to access arbitrary files in the Tomcat webroot. This can expose sensitive information that could help the attacker launch further attacks.

Versions in the 5.0 series prior to 5.5.22 and in the 6.0 series prior to 6.0.10 are vulnerable.

Apache HTTP Server Tomcat Directory Traversal Vulnerability

Attackers can use a browser to exploit this issue.

The following proof-of-concept URI is available:

http://www.example.com/foo/\../manager/html

Apache HTTP Server Tomcat Directory Traversal Vulnerability

Solution:
Updates are available. Please see the references for more information.


Apache Software Foundation Tomcat 5.0

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apple Mac OS X Server 10.3.9

• Apple SecUpdSrvr2007-007Pan.dmg For Mac OS X Server v10.3.9
  http://www.apple.com/support/downloads/

Apple Mac OS X 10.3.9

• Apple SecUpd2007-007Pan.dmg For Mac OS X v10.3.9
  http://www.apple.com/support/downloads/

Apple Mac OS X 10.4.10

• Apple SecUpd2007-007Ti.dmg For Mac OS X v10.4.10 (PowerPC)
  http://www.apple.com/support/downloads/


• Apple SecUpd2007-007Univ.dmg For Mac OS X v10.4.10 (Universal)
  http://www.apple.com/support/downloads/

Apache Software Foundation Tomcat 5.2

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apache Software Foundation Tomcat 5.3

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apache Software Foundation Tomcat 5.4

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apache Software Foundation Tomcat 5.5.14

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apache Software Foundation Tomcat 5.5.16

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apache Software Foundation Tomcat 5.5.19

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apache Software Foundation Tomcat 5.5.21

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apache Software Foundation Tomcat 5.5.22

• Apache apache-tomcat-5.5.23.tar.gz
  http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz

Apache Software Foundation Tomcat 6.0.3

• Apache apache-tomcat-6.0.10.tar.gz
  http://apache.mirror.rafal.ca/tomcat/tomcat-6/v6.0.10/bin/apache-tomca t-6.0.10.tar.gz

Apache Software Foundation Tomcat 6.0.5

• Apache apache-tomcat-6.0.10.tar.gz
  http://apache.mirror.rafal.ca/tomcat/tomcat-6/v6.0.10/bin/apache-tomca t-6.0.10.tar.gz

Apache Software Foundation Tomcat 6.0.7

• Apache apache-tomcat-6.0.10.tar.gz
  http://apache.mirror.rafal.ca/tomcat/tomcat-6/v6.0.10/bin/apache-tomca t-6.0.10.tar.gz

Apache Software Foundation Tomcat 6.0.8

• Apache apache-tomcat-6.0.10.tar.gz
  http://apache.mirror.rafal.ca/tomcat/tomcat-6/v6.0.10/bin/apache-tomca t-6.0.10.tar.gz

Apache HTTP Server Tomcat Directory Traversal Vulnerability

References:

• Apache Tomcat Homepage (Apache)
  
• ASA-2007-206 - tomcat security update (Avaya)
  
• CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) ("Williams, James K" )
  
• HPSBUX02262 SSRT071447 rev. 1 (Hewlett-Packard)
  
• Apache HTTP Server / Tomcat directory traversal (SEC Consult Research)
  
• CA20090123-01: Security Notice for Cohesion Tomcat (Computer Associates)
  
• Directory traversal vulnerabilities in Interstage Application Server (Fujitsu)
  
• Red Hat Security Advisory RHSA-2007:0327: tomcat security update (Red Hat)
  
• RHSA-2007:1069-5 Moderate: tomcat security update for Red Hat Network Satellite (Red Hat)
  
• RHSA-2008:0261-4 Moderate: Red Hat Network Satellite Server security update (Red Hat)
  
• RHSA-2008:0524-4 Red Hat Network Satellite Server security update (Red Hat)
  
• Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10 (Sun Microsystems)