Author: markt Date: Wed Jun 3 14:02:06 2009 New Revision: 781382 URL: http://svn.apache.org/viewvc?rev=781382&view=rev Log: Fix NPE / information disclosure issue that allowed user enumeration with FORM auth. This is CVE-2009-0580.
Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=781382&r1=781381&r2=781382&view=diff ============================================================================== --- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original) +++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Wed Jun 3 14:02:06 2009 @@ -1753,6 +1753,11 @@ Fix typo in French localisation file name for the org.apache.catalina.loader package. +[4.1.40] Realms + Fix information disclosure vulnerability that permitted user + enumeration when using FORM authentication. + This is CVE-2009-0580. + ---------------- Coyote Bug Fixes: Modified: tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java?rev=781382&r1=781381&r2=781382&view=diff ============================================================================== --- tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java (original) +++ tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java Wed Jun 3 14:02:06 2009 @@ -270,8 +270,9 @@ */ public Principal authenticate(String username, String credentials) { - // No user - can't possibly authenticate, don't bother the database then - if (username == null) { + // No user or no credentials + // Can't possibly authenticate, don't bother the database then + if (username == null || credentials == null) { return null; } Modified: tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java?rev=781382&r1=781381&r2=781382&view=diff ============================================================================== --- tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java Wed Jun 3 14:02:06 2009 @@ -391,10 +391,10 @@ String username, String credentials) { - - // No user - can't possibly authenticate - if (username == null) { - return (null); + // No user or no credentials + // Can't possibly authenticate, don't bother the database then + if (username == null || credentials == null) { + return null; } // Look up the user's credentials Modified: tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java?rev=781382&r1=781381&r2=781382&view=diff ============================================================================== --- tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java (original) +++ tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java Wed Jun 3 14:02:06 2009 @@ -144,7 +144,7 @@ (GenericPrincipal) principals.get(username); boolean validated = false; - if (principal != null) { + if (principal != null && credentials != null) { if (hasMessageDigest()) { // Hex hashes should be compared case-insensitive validated = (digest(credentials) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org