BID:24147

Apache Tomcat JK Connector Double Encoding Security Bypass Vulnerability

Info

Apache Tomcat JK Connector Double Encoding Security Bypass Vulnerability

Bugtraq ID:	24147
Class:	Input Validation Error
CVE:	CVE-2007-1860
Remote:	Yes
Local:	No
Published:	May 24 2007 12:00AM
Updated:	Mar 19 2015 09:10AM
Credit:	Kazu Nambo is credited with the discovery of this vulnerability.
Vulnerable:	SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE SUSE Linux Enterprise 10 SP1 DEBUGINFO SuSE openSUSE 10.3 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. SuSE Linux Open-Xchange 4.1 S.u.S.E. openSUSE 10.2 S.u.S.E. openSUSE 10.1 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 1 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Office Server S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop SDK 9.0 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Novell Linux Desktop 1.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Openexchange Server S.u.S.E. Linux Office Server S.u.S.E. Linux Desktop 1.0 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux WS 2.1 IA64 RedHat Enterprise Linux WS 2.1 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux ES 2.1 IA64 RedHat Enterprise Linux ES 2.1 RedHat Application Stack v1 for Enterprise Linux ES 4 RedHat Application Stack v1 for Enterprise Linux AS 4 Red Hat Red Hat Network Satellite Server 5.0 Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo Linux Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Avaya Integrated Management 5.0 Avaya Integrated Management 4.0 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.3.9 Apple Mac OS X 10.4.10 Apple Mac OS X 10.3.9 Apache Software Foundation Tomcat JK Web Server Connector 1.2.21

Not Vulnerable:	Apache Software Foundation Tomcat JK Web Server Connector 1.2.23

Discussion

Apache Tomcat JK Connector Double Encoding Security Bypass Vulnerability

Apache HTTP server running with the Tomcat JK Web Server Connector is prone to a security-bypass vulnerability because it decodes request URLs multiple times.

Exploiting this issue allows attackers to access restricted files in the Tomcat web directory. This can expose sensitive information that could help attackers launch further attacks.

This issue is present in versions prior to Apache Tomcat JK Connector 1.2.23.

Exploit / POC

Apache Tomcat JK Connector Double Encoding Security Bypass Vulnerability

Attackers can use a browser to exploit this issue.

Solution / Fix

Apache Tomcat JK Connector Double Encoding Security Bypass Vulnerability

Solution:
The vendor has released Apache Tomcat JK Connector 1.2.23 to address this issue. Please see the references for more information.

Apache Software Foundation Tomcat JK Web Server Connector 1.2.21

Apache Apache Tomcat JK Connector 1.2.23
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.2 3/tomcat-connectors-1.2.23-src.tar.gz

Apple Mac OS X Server 10.3.9

Apple SecUpdSrvr2007-007Pan.dmg For Mac OS X Server v10.3.9
http://www.apple.com/support/downloads/

Apple Mac OS X 10.3.9

Apple SecUpd2007-007Pan.dmg For Mac OS X v10.3.9
http://www.apple.com/support/downloads/

Apple Mac OS X 10.4.10

Apple SecUpd2007-007Ti.dmg For Mac OS X v10.4.10 (PowerPC)
http://www.apple.com/support/downloads/

Apple SecUpd2007-007Univ.dmg For Mac OS X v10.4.10 (Universal)
http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.10

Apple SecUpdSrvr2007-007Ti.dmg For Mac OS X Server v10.4.10 (PowerPC)
http://www.apple.com/support/downloads/

Apple SecUpdSrvr2007-007Universal.dmg For Mac OS X Server v10.4.10 (Universal)
http://www.apple.com/support/downloads/

References

Apache Tomcat JK Connector Double Encoding Security Bypass Vulnerability

References:

Apache Tomcat Connector Homepage (Apache Software Foundation)
Apache Tomcat Homepage (Apache)
RHSA-2007:0379-4 - mod_jk security update (RedHat)
RHSA-2007:0380-01 - mod_jk security update (RedHat)
HPSBUX02262 SSRT071447 rev. 1 (Hewlett-Packard)
ASA-2008-054 mod_jk vulnerability may lead to information disclosure (Avaya)
Fixed in Apache Tomcat JK Connector 1.2.23 (Apache Software Foundation)
RHSA-2008:0261-4 Moderate: Red Hat Network Satellite Server security update (Red Hat)