Apache Tomcat WebDav Remote Information Disclosure Vulnerability
BID:26070
Info
Apache Tomcat WebDav Remote Information Disclosure Vulnerability
| Bugtraq ID: | 26070 |
| Class: | Design Error |
| CVE: |
CVE-2007-5461 CVE-2007-5731 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 14 2007 12:00AM |
| Updated: | Mar 19 2015 09:13AM |
| Credit: | eliteb0y discovered this issue. |
| Vulnerable: |
WiKID Systems WiKID Server 3.0.4 VMWare VirtualCenter Management Server 2 VMWare VirtualCenter 2.0.2 VMWare VirtualCenter 2.5 Update 5 VMWare VirtualCenter 2.5 Update 2 VMWare VirtualCenter 2.5 Update 1 VMWare VirtualCenter 2.5 VMWare VirtualCenter 2.0.2 Update 5 VMWare VirtualCenter 2.0.2 Update 4 VMWare VirtualCenter 2.0.2 Update 3 VMWare VirtualCenter 2.0.2 Update 2 VMWare VirtualCenter 2.0.2 Update 1 VMWare vCenter 4.0 VMWare Server 2.0.2 VMWare Server 2.0.1 VMWare Server 2.0 VMWare ESX Server 3.0.3 VMWare ESX Server 3.0.2 VMWare ESX Server 3.0.1 VMWare ESX Server 3.0 VMWare ESX Server 4.0 VMWare ESX Server 3.5 SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 10 SP2 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE SUSE Linux Enterprise 10 SP1 DEBUGINFO SuSE openSUSE 10.3 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 Sun Solaris 9_x86 Sun Solaris 9_sparc Sun Solaris 10_x86 Sun Solaris 10_sparc S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. SuSE Linux Open-Xchange 4.1 S.u.S.E. openSUSE 10.2 S.u.S.E. openSUSE 10.1 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 1 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Office Server S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop SDK 9.0 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Novell Linux Desktop 1.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Openexchange Server S.u.S.E. Linux Desktop 1.0 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc RedHat Red Hat Network Satellite (for RHEL 4) 5.1 RedHat Network Satellite (for RHEL 4) 4.2 RedHat Enterprise Linux Desktop Workstation 5 client RedHat Developer Suite EL4 3 RedHat Certificate Server 7.3 RedHat Application Server WS4 2 RedHat Application Server ES4 2 RedHat Application Server AS4 2 Red Hat Red Hat Network Satellite Server 5.0 Red Hat Network Satellite (for RHEL 3) 4.2 Red Hat Fedora 7 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux 5 Server Pardus Linux 2008 0 Mandriva Linux Mandrake 2008.0 x86_64 Mandriva Linux Mandrake 2008.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 IBM WebSphere Application Server Community Edition 2.0 1 IBM WebSphere Application Server Community Edition 2.0 IBM WebSphere Application Server Community Edition 1.1 2 IBM WebSphere Application Server Community Edition 1.1 1 IBM WebSphere Application Server Community Edition 1.0.1 2 IBM WebSphere Application Server Community Edition 1.0.1 1 IBM WebSphere Application Server Community Edition 1.0.1 IBM WebSphere Application Server Community Edition 1.0 1 IBM WebSphere Application Server Community Edition 1.1 IBM WebSphere Application Server Community Edition 1.0 Gentoo www-servers/tomcat 6.0.15 Gentoo www-servers/tomcat 6.0.14 Gentoo www-servers/tomcat 6.0.13 Gentoo www-servers/tomcat 6.0.12 Gentoo www-servers/tomcat 6.0.11 Gentoo www-servers/tomcat 6.0.10 Gentoo www-servers/tomcat 6.0.9 Gentoo www-servers/tomcat 6.0.8 Gentoo www-servers/tomcat 6.0.7 Gentoo www-servers/tomcat 6.0.6 Gentoo www-servers/tomcat 6.0.5 Gentoo www-servers/tomcat 6.0.4 Gentoo www-servers/tomcat 6.0.3 Gentoo www-servers/tomcat 6.0.2 Gentoo www-servers/tomcat 6.0.1 Gentoo www-servers/tomcat 6.0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Avaya Meeting Exchange - Enterprise Edition Avaya Meeting Exchange 5.0 .0.52 Avaya Meeting Exchange 5.0 Avaya Aura Application Enablement Services 4.2.1 Avaya Aura Application Enablement Services 4.0.1 Avaya Aura Application Enablement Services 3.1.6 Avaya Aura Application Enablement Services 3.1.5 Avaya Aura Application Enablement Services 3.1.4 Avaya Aura Application Enablement Services 3.1.3 Avaya Aura Application Enablement Services 4.2 Avaya Aura Application Enablement Services 4.1 Avaya Aura Application Enablement Services 4.0 Avaya Aura Application Enablement Services 3.1 Avaya Aura Application Enablement Services 3.0 Apple Mac OS X Server 10.5.5 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.10 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.12 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0 Apache Software Foundation Tomcat 5.5.24 Apache Software Foundation Tomcat 5.5.23 Apache Software Foundation Tomcat 5.5.22 Apache Software Foundation Tomcat 5.5.21 Apache Software Foundation Tomcat 5.5.20 Apache Software Foundation Tomcat 5.5.19 Apache Software Foundation Tomcat 5.5.18 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.16 Apache Software Foundation Tomcat 5.5.15 Apache Software Foundation Tomcat 5.5.14 Apache Software Foundation Tomcat 5.5.13 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 5.4 Apache Software Foundation Tomcat 5.3 Apache Software Foundation Tomcat 5.2 Apache Software Foundation Tomcat 5.1 Apache Software Foundation Tomcat 5.0.31 Apache Software Foundation Tomcat 5.0.30 Apache Software Foundation Tomcat 5.0.28 Apache Software Foundation Tomcat 5.0.19 Apache Software Foundation Tomcat 5.0.16 Apache Software Foundation Tomcat 5.0.15 Apache Software Foundation Tomcat 5.0.14 Apache Software Foundation Tomcat 5.0.13 Apache Software Foundation Tomcat 5.0.12 Apache Software Foundation Tomcat 5.0.11 Apache Software Foundation Tomcat 5.0.10 Apache Software Foundation Tomcat 5.0.9 Apache Software Foundation Tomcat 5.0.8 Apache Software Foundation Tomcat 5.0.7 Apache Software Foundation Tomcat 5.0.6 Apache Software Foundation Tomcat 5.0.5 Apache Software Foundation Tomcat 5.0.4 Apache Software Foundation Tomcat 5.0.3 Apache Software Foundation Tomcat 5.0.2 Apache Software Foundation Tomcat 5.0.1 Apache Software Foundation Tomcat 5.0 Apache Software Foundation Tomcat 4.1.37 Apache Software Foundation Tomcat 4.1.36 Apache Software Foundation Tomcat 4.1.34 Apache Software Foundation Tomcat 4.1.32 Apache Software Foundation Tomcat 4.1.31 Apache Software Foundation Tomcat 4.1.24 Apache Software Foundation Tomcat 4.1.12 Apache Software Foundation Tomcat 4.1.10 Apache Software Foundation Tomcat 4.1.9 beta Apache Software Foundation Tomcat 4.1.3 beta Apache Software Foundation Tomcat 4.1 Apache Software Foundation Tomcat 4.0.7 Apache Software Foundation Tomcat 4.0.6 Apache Software Foundation Tomcat 4.0.5 Apache Software Foundation Tomcat 4.0.4 Apache Software Foundation Tomcat 4.0.3 Apache Software Foundation Tomcat 4.0.2 Apache Software Foundation Tomcat 4.0.1 Apache Software Foundation Tomcat 4.0 Apache Software Foundation Tomcat 5.0 Apache Software Foundation Tomcat 4.0.0 RC2 Apache Software Foundation Jakarta Slide 2.1 Apache Software Foundation Geronimo 2.0.2 Apache Software Foundation Geronimo 2.0.1 Apache Software Foundation Geronimo 1.1 Apache Software Foundation Geronimo 1.0.1 Apache Software Foundation Geronimo 1.0 |
| Not Vulnerable: |
WiKID Systems WiKID Server 3.0.5 VMWare VirtualCenter 2.5 Update 6 VMWare vCenter 4.0 Update 1 |
Discussion
Apache Tomcat WebDav Remote Information Disclosure Vulnerability
Apache Tomcat is prone to a remote information-disclosure vulnerability
Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server.
Apache Tomcat is prone to a remote information-disclosure vulnerability
Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server.
Exploit / POC
Apache Tomcat WebDav Remote Information Disclosure Vulnerability
The following exploits are available:
The following exploits are available:
Solution / Fix
Apache Tomcat WebDav Remote Information Disclosure Vulnerability
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
Apache Tomcat WebDav Remote Information Disclosure Vulnerability
References:
References:
- About the security content of Security Update 2008-004 and Mac OS X 10.5.4 (Apple)
- Apache Geronimo Potential vulnerability in Apache Tomcat Webdav servlet (Apache)
- Apache Geronimo Web Site (Apache)
- Apache Tomcat 4.x vulnerabilities (Apache)
- Apache Tomcat 5.x vulnerabilities (Apache)
- Apache Tomcat 6.x vulnerabilities (Apache)
- Apache Tomcat Homepage (Apache)
- GERONIMO-3549: Potential vulnerability in Apache Tomcat Webdav servlet (Apache)
- Important vulnerability disclosed in Apache Tomcat webdav servlet (Apache)
- Release Name: 3.0.5 (WiKID Systems)
- Tomcat Webdav servlet security vulnerability in WebSphere Application Server Com (IBM)
- WebDAV Homepage (WebDAV)
- VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release addre (VMware Security Team
- ASA-2008-401 - tomcat security update (RHSA-2008-0862) (Avaya)
- RHSA-2008:0042-4 - tomcat security update (Red Hat)
- RHSA-2008:0195-5 tomcat security update (Red Hat)
- RHSA-2008:0261-4 Moderate: Red Hat Network Satellite Server security update (Red Hat)
- RHSA-2008:0524-4 Red Hat Network Satellite Server security update (Red Hat)
- RHSA-2008:0630-3 Low: Red Hat Network Satellite Server security update (Red Hat)
- Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10 (Sun Microsystems)
- Solution 239312 : Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris (Sun)