Help Net Security
Help Net Security

Apache Tomcat 4.1.39 fixes security issues

Apache Tomcat is an implementation of the Java Server Pages 1.2 and Java Servlet 2.3 specifications. Apache Tomcat powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations.

The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.39 stable. This build contains a small number of bug fixes as well as the security fixes outlined below.

Moderate: Session hi-jacking CVE-2008-0128
When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the “secure” attribute, resulting in it being transmitted to any content that is – by purpose or error – requested via http from the same server.

This was fixed in revision 684900. Affects: 4.1.0-4.1.37

Low: Cross-site scripting CVE-2008-1232
The message argument of 

HttpServletResponse.sendError()

call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.

This was fixed in revision 680947. Affects: 4.1.0-4.1.37

Important: Information disclosure CVE-2008-2370
When using a RequestDispatcher the target path was normalized before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

This was fixed in revision 680950. Affects: 4.1.0-4.1.37

Important: Directory traversal CVE-2008-2938

If a context is configured with 

allowLinking="true"

and the connector is configured with 

URIEncoding="UTF-8"

then a malformed request may be used to access arbitrary files on the server. If the connector is configured with 

URIEncoding="UTF-8"

then a malformed request may be used to access arbitrary files within the docBase of a context such as web.xml. It should also be noted that setting 

useBodyEncodingForURI="true"

has the same effect as setting 

URIEncoding="UTF-8"

when processing requests with bodies encoded with UTF-8.

This was fixed in revision 681065. Affects: 4.1.0-4.1.37

Featured news

Sponsored

Don't miss