SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Apache Tomcat's default security policy is too open


Arrow  SecurityAlert : 3485
Arrow  CVE : CVE-2007-5342
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Given : No
Arrow  Credit : Delian Krustev
Arrow  Published : 28.12.2007

Arrow  Affected Software : Tomcat 5.5.9 to 5.5.25
Tomcat 6.0.0 to 6.0.15



Arrow  Advisory Text :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-5342: Tomcat's default security policy is too open

Severity:
Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.9 to 5.5.25
Tomcat 6.0.0 to 6.0.15

Description:
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict this
configuration and allows an untrusted web application to add files or
overwrite existing files where the Tomcat process has the necessary file
permissions to do so.

Mitigation:
Apply the following patch to the catalina.policy file
http://svn.apache.org/viewvc?rev=606594&view=rev
The patch will be included in 5.5.25 onwards and 6.0.16 onwards
This patch is also included at the end of this announcement

Example:
An application could have its own WEB-INF/classes/logging.properties

handlers = org.apache.juli.FileHandler
org.apache.juli.FileHandler.level = FINE
org.apache.juli.FileHandler.directory = ${catalina.base}/logs
org.apache.juli.FileHandler.prefix = mylog.

Credit:
This issue was discovered by Delian Krustev.

References:
http://tomcat.apache.org/security.html

Mark Thomas

*** Patch starts below this line ***
Index: catalina.policy
===================================================================
- --- catalina.policy (revision 606588)
+++ catalina.policy (working copy)
@@ -62,7 +62,19 @@

// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- - permission java.security.AllPermission;
+ permission java.util.PropertyPermission
"java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission
"java.util.logging.config.file", "read";
+ permission java.lang.RuntimePermission "shutdownHooks";
+ permission java.io.FilePermission
"${catalina.base}${file.separator}conf${file.separator}logging.propertie
s", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+ permission java.util.logging.LoggingPermission "control";
+ permission java.io.FilePermission
"${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission
"${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+ permission java.lang.RuntimePermission "getClassLoader";
+ // To enable per context logging configuration, permit read access
to the appropriate file.
+ // Be sure that the logging configuration is secure before
enabling such access
+ // eg for the examples web application:
+ // permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}examples${file
.separator}WEB-INF${file.separator}classes${file.separator}logging.prope
rties", "read";
};

// These permissions apply to the server startup code

*** Patch ends above this line ***

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHbrZQb7IeiTPGAkMRAhg1AJ4ydvIa2WIuHN8x3TKGD01xReatbgCfTtj2
8TzsMaXSUzeuEvnOuY5fmCo=
=N5J9
-----END PGP SIGNATURE-----





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...

Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication

PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

Copyright © SecurityReason.com. All Rights Reserved.