LAC Advisory

Site Location

Japanese Edition

SNS Advisory No.97
Apache Tomcat Improper Cookie Handling Session Hijacking Vulnerability

Problem first discovered on: Mon, 20 Aug 2007
Published on: Thu, 14 Feb 2008

Severity Level:

Low

Overview:

Apache Tomcat has a session hijacking vulnerability due to an input validation error when handling a specific character within cookie values. Exploitation of the vulnerability allows the attackers, under specific circumstances, to impersonate the authorized user and gain access to the vulnerable application to launch further attacks.

Problem Description:

Apache Tomcat is an open source software developed under the Jakarta project at the Apache Software Foundation and an application server that implements Java Servlet and JavaServer Pages.

Apache Tomcat has a vulnerability that a specific character is interpreted as a delimiter due to an input validation error when handling \ (%5c) within cookie values.

This could allow attackers to launch further attacks, such as session hijacking, by sending malicious cookies to the user's Web browser.

Affected Versions:
------------------
Apache Tomcat 4.1.36 and earlier
Apache Tomcat 5.5.25 and earlier
Apache Tomcat 6.0.14 and earlier

Solution:
---------
The vulnerability can be fixed by updating the software to Apache Tomcat 5.5.26/6.0.16 or later.

Note: The fixed source code for Apache Tomcat 4.1.x has been released in the SVN repository by the Apache Software Foundation <http://www.apache.org/>.

http://archive.apache.org/dist/tomcat/

Discovered by:
--------------
Yoshihiro Ishikawa (LAC)

Thanks to:
----------
This SNS Advisory is being published in coordination with Information-technology Promotion Agency, Japan (IPA) and JPCERT/CC.

http://jvn.jp/jp/JVN%2309470767/index.html
http://jvndb.jvn.jp/contents/ja/2008/JVNDB-2008-000009.html

Disclaimer:
-----------
The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here.

This advisory can be found at the following URL: 

http://www.lac.co.jp/english/advisory/97_e.html

Japanese Edition

Top of Page

Reference

Category Menu