TomcatのCookie処理の問題

Security 2月 12, 2008
(Last Updated On: 2008年2月12日)

脆弱性は意外と単純な所に残っている場合の方が多いです。

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5333

Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (“) characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.

これだけだと解りづらいですが以下のURLにもう少し詳しく書いてあります。

http://www.securityfocus.com/archive/1/archive/1/487822/100/0/threaded

Examples:
+++
GET /myapp/MyCookies HTTP/1.1
Host: localhost
Cookie: name="val " ue"
Cookie: name1=moi
+++
http://example:8080/examples/servlets/servlet/CookieExample?cookiename=t
est&cookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A0
1+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B


今まで見つからなかったのが不思議なくらいですが、脆弱性とはそういうものです。

CVEをTomcat 4のメンテナンスは滞っているのでは気になったのですが

4.1.x users should build from the latest svn source

とsubversionリポジトリからビルドしなければならないようです。少なからずTomcat 4で運用しているサイトがあると思います。この問題に対応できてないのではないか、と心配になります。

subversionリポジトリだけでも更新されていれば適切に管理しているサイトであれば十分だとは思いますが、リポジトリだけで修正されている問題は結構あrます。

http://tomcat.apache.org/security-4.html

important: Information disclosure CVE-2005-3164

If a client specifies a Content-Length but disconnects before sending any of the request body, the deprecated AJP connector processes the request using the request body of the previous request. Users are advised to use the default, supported Coyote AJP connector which does not exhibit this issue.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

moderate: Cross-site scripting CVE-2007-1355

The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the output.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

low: Cross-site scripting CVE-2007-2449

JSPs within the examples web application did not escape user provided data before including it in the output. This enabled a XSS attack. These JSPs now filter the data before use. This issue may be mitigated by undeploying the examples web application. Note that it is recommended that the examples web application is not installed on a production system.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36

low: Cross-site scripting CVE-2007-2450

The Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This applciation now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

low: Session hi-jacking CVE-2007-3382

Tomcat incorrectly treated a single quote character (‘) in a cookie value as a delimiter. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 4.1.0-4.1.36

low: Cross-site scripting CVE-2007-3383

When reporting error messages, the SendMailServlet (part of the examples web application) did not escape user provided data before including it in the output. This enabled a XSS attack. This Servlet now filters the data before use. This issue may be mitigated by undeploying the examples web application. Note that it is recommended that the examples web application is not installed on a production system.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36

low: Session hi-jacking CVE-2007-3385

Tomcat incorrectly handled the character sequence \” in a cookie value. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 4.1.0-4.1.36

low: Session hi-jacking CVE-2007-5333

The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value.

Affects: 4.1.0-4.1.36

important: Information disclosure CVE-2007-5461

When Tomcat’s WebDAV servlet is configured for use with a context and has been enabled for write, some WebDAV requests that specify an entity with a SYSTEM tag can result in the contents of arbitary files being returned to the client.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36

投稿者: yohgaki