-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2007-5333: Tomcat Cookie handling vulnerabilities Severity: low - Session hi-jacking Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.36 Tomcat 5.5.0 to 5.5.25 Tomcat 6.0.0 to 6.0.14 Description: The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value. Mitigation: 6.0.x users should upgrade to Tomcat 6.0.16 or later 5.5.x users should upgrade to Tomcat 5.5.26 or later 4.1.x users should build from the latest svn source Examples: +++ GET /myapp/MyCookies HTTP/1.1 Host: localhost Cookie: name="val " ue" Cookie: name1=moi +++ http://example:8080/examples/servlets/servlet/CookieExample?cookiename=t est&cookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A0 1+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B Credit: The quotes issue was reported by John Kew. The %5C issue was reported by Ishikawa Yoshihiro via JPCERT/CC. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrONyb7IeiTPGAkMRAgKrAJwIX1fbtGT7iualwzRK8BDi+QRAkQCg3cMo 58hTHdwJzeFxLXgkLRQwBKk= =Dnsp -----END PGP SIGNATURE-----