It looks to me like the change fixes an NPE when a null or nonsense password is given. The NPE would allow an attacker to determine if a username is valid (without having to know the password). Not the most serious security breach, but login protocols aren't supposed to let you guess usernames. -- Len
On Thu, Jun 4, 2009 at 12:48, Christopher Schultz<ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mark, > > On 6/3/2009 11:42 AM, Mark Thomas wrote: >> CVE-2009-0580: Tomcat information disclosure vulnerability > > I know I'm likely to get a vague response, but could you provide some > more info about this issue? > >> Due to insufficient error checking in some authentication classes, >> Tomcat allows for the enumeration (brute force testing) of usernames by >> supplying illegally URL encoded passwords. > > [snip] > >> j_username=tomcat&j_password=% > > I'm not sure how the patch (I read the patch for TC5.5 > DataSourceRealm.java) changes anything at all: it appears to be merely a > performance optimization. > > No changes are made to the behavior of Tomcat, since the same null is > returned to the caller if the credentials do not match. > > I don't see any information disclosure vulnerability in the first place, > and I don't see how your patch would have fixed it. > > ??! > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty > MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk > =iKFX > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org