Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CVE-2007-5342] Apache Tomcat's default security policy is too open

from [Mark Thomas] Network Security [Permanent Link]
Subject: [CVE-2007-5342] Apache Tomcat's default security policy is too open
Date: Sun, 23 Dec 2007 19:26:08 +0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-5342: Tomcat's default security policy is too open

Severity:
Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.9 to 5.5.25
Tomcat 6.0.0 to 6.0.15

Description:
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict this
configuration and allows an untrusted web application to add files or
overwrite existing files where the Tomcat process has the necessary file
permissions to do so.

Mitigation:
Apply the following patch to the catalina.policy file
http://svn.apache.org/viewvc?rev=606594&view=rev
The patch will be included in 5.5.25 onwards and 6.0.16 onwards
This patch is also included at the end of this announcement

Example:
An application could have its own WEB-INF/classes/logging.properties

handlers = org.apache.juli.FileHandler
org.apache.juli.FileHandler.level = FINE
org.apache.juli.FileHandler.directory = ${catalina.base}/logs
org.apache.juli.FileHandler.prefix = mylog.

Credit:
This issue was discovered by Delian Krustev.

References:
http://tomcat.apache.org/security.html

Mark Thomas

*** Patch starts below this line ***
Index: catalina.policy
===================================================================
- --- catalina.policy   (revision 606588)
+++ catalina.policy     (working copy)
@@ -62,7 +62,19 @@

 // These permissions apply to the logging API
 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- -        permission java.security.AllPermission;
+        permission java.util.PropertyPermission 
"java.util.logging.config.class", "read";
+        permission java.util.PropertyPermission 
"java.util.logging.config.file", "read";
+        permission java.lang.RuntimePermission "shutdownHooks";
+        permission java.io.FilePermission 
"${catalina.base}${file.separator}conf${file.separator}logging.properties", 
"read";
+        permission java.util.PropertyPermission "catalina.base", "read";
+        permission java.util.logging.LoggingPermission "control";
+        permission java.io.FilePermission 
"${catalina.base}${file.separator}logs", "read, write";
+        permission java.io.FilePermission 
"${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+        permission java.lang.RuntimePermission "getClassLoader";
+        // To enable per context logging configuration, permit read access to 
the appropriate file.
+        // Be sure that the logging configuration is secure before enabling 
such access
+        // eg for the examples web application:
+        // permission java.io.FilePermission 
"${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
 "read";
 };

 // These permissions apply to the server startup code

*** Patch ends above this line ***






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHbrZQb7IeiTPGAkMRAhg1AJ4ydvIa2WIuHN8x3TKGD01xReatbgCfTtj2
8TzsMaXSUzeuEvnOuY5fmCo=
=N5J9
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CVE-2007-5342] Apache Tomcat's default security policy is too open, Mark Thomas <=
Previous by Date:  PHP <= 5.2.5 Safe Mode Bypass, admin
Next by Date:  SimpleForum <= 4.6.2 - Cross-Site Scripting Vulnerability, sys-project
Previous by Thread:  PHP <= 5.2.5 Safe Mode Bypass, admin
Next by Thread:  SimpleForum <= 4.6.2 - Cross-Site Scripting Vulnerability, sys-project
Indexes:  [Date] [Thread] [Top] [All Lists]