Christopher Schultz wrote: > Mark, > > On 6/3/2009 11:42 AM, Mark Thomas wrote: >> CVE-2009-0580: Tomcat information disclosure vulnerability > > I know I'm likely to get a vague response, but could you provide some > more info about this issue?
I'm sorry you have that impression. As I hope you see from this thread, the Tomcat security team is more than happy to discuss any vulnerability in detail once the vulnerability has been made public. >> j_username=tomcat&j_password=% > > I'm not sure how the patch (I read the patch for TC5.5 > DataSourceRealm.java) changes anything at all: it appears to be merely a > performance optimization. Not quite. > No changes are made to the behavior of Tomcat, since the same null is > returned to the caller if the credentials do not match. If the credentials are null (eg a password via FORM auth with invalid encoding) then there is an NPE. It is as a result of lines 332/334 (5.5.x, post patch). If credentials is null then digest(credentials) is also null which results in an NPE when we try digest(credentials).equals(...) The NPE results isn't handled and results in a blank response back to the client. > I don't see any information disclosure vulnerability in the first place, > and I don't see how your patch would have fixed it. The patch stops this NPE from happening and ensures that users get a "login failed" message rather than a blank screen. You are correct that for the current DataSource and JDBC Realms that this is just a bug fix. However, for the MemoryRealm there is a test a line 150 that means the responses for a valid and invalid user when credentials are null are different. Valid users cause an NPE and a blank response. Invalid users get a login failed message. For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'll issue an update to the vulnerability notice to clarify this. If you have any further questions, please do ask. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
