Home > Apache Tomcat > Apache Tomcat 5.5.26 Error Report

Apache Tomcat 5.5.26 Error Report

Contents

This was fixed in revision 1558828. The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false): org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false These pages have been simplified not to use any user provided data in the output. Protecting the Shutdown Port Tomcat uses a port (defaults to 8005) as a shutdown port. http://svbuckeye.com/apache-tomcat/apache-error-report-tomcat.php

When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like The blocking IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation provided by the JVM. add x-O(Set-Cookie) to your pattern). (pero) Support logging of current thread name at AccessLogValve (ex. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header. http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/apache-tomcat5526-error-report/9292d72d-535e-4e2f-8035-b43ba40f2c75

Apache Tomcat/5.5.35 Exploit

This was fixed in revision 1381035. Affects: 6.0.0-6.0.32 Low: Information disclosure CVE-2011-2204 When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may trigger an error message in The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat

  1. Affects: 6.0.0-6.0.18 Important: Denial of Service CVE-2009-0033 If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP
  2. Security Reports Find help FAQ Mailing Lists Bug Database IRC Get Involved Overview SVN Repositories Buildbot Reviewboard Tools Media Twitter YouTube Blog Misc Who We Are Heritage Apache Home Resources Contact
  3. This issue was identified by the Tomcat security team on 2 November 2014 and made public on 14 May 2015.
  4. This was fixed in revisions 1200601, 1206324 and 1229027.
  5. Submitted by Shiva Kumar H R. (pero) 42103: Use correct names for truststoreFile, truststoreType and truststorePass when saving server.xml in Admin webapp.
  6. The security implications were identified by the Tomcat security team the day the report was received and made public on 27 May 2014.

This vulnerability only occurs when all of the following are true: Tomcat is running on a Linux operating system jsvc was compiled with libcap -user parameter is used Affected Tomcat versions This issue has been discussed several times on the Tomcat mailing lists. This also makes sure (among other things), that a webapplication isn't able to read/write/execute any file on the local filesystem without enabling it in the catalina.policy file. Apache Tomcat/5.5.35 Exploit Db This enabled a XSS attack.

Please help OWASP to FixME. 1 Status 2 Authors 3 Introduction 4 Software Versions 5 Installation of Apache Tomcat 5.1 UNIX 5.2 Windows 5.3 Common 6 Protecting the Shutdown Port 7 Apache Tomcat Security Vulnerabilities Based on patch provided by mdietze. (markt/kkolinko) 49236: Do not use indexing when packing Tomcat JARs. (kkolinko) 48990: Build windows distributions correctly on Linux and add support for the skip.installer property. This was fixed in revisions 782757 and 783291. https://tomcat.apache.org/tomcat-5.5-doc/changelog.html Affects: 6.0.0-6.0.35 Important: Bypass of CSRF prevention filter CVE-2012-4431 The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in

In some circumstances disabling renegotiation may result in some clients being unable to access the application. Apache Tomcat Multiple Content Length Headers Information Disclosure Vulnerability This work-around is included in Tomcat 5.5.33 onwards. Important: Remote Denial Of Service CVE-2010-4476 A JVM bug could cause Double conversion to hang JVM when accessing to a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() This was fixed in revision 1392248.

Apache Tomcat Security Vulnerabilities

command line switch. When a session ID was present, authentication was bypassed. Apache Tomcat/5.5.35 Exploit This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. Apache Tomcat Input Validation Security Bypass Vulnerability This allows an attacker to create arbitrary content outside of the web root by including entries such as ../../bin/catalina.sh in the WAR.

This fixes regressions in 1.5.2. (markt) Align server.xml installed by the Windows installer with the one bundled in zip/tar.gz archives. (kkolinko) Encode all property files using ascii escaped UTF-8. (rjung) Correct get redirected here An IDE is no substitute for an Intelligent Developer. When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. An alternative to repackaging the JAR is available on the Discussion page. Apache Tomcat 5.5.23 Free Download

After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Affects: 6.0.0-6.0.31 Moderate: TLS SSL Man In The Middle CVE-2009-3555 A vulnerability exists in the TLS protocol that allows an attacker to inject arbitrary requests into an TLS stream during renegotiation. Content is available under a Creative Commons 3.0 License unless otherwise noted. navigate to this website Affects: 5.5.0-5.5.27 Low: Information disclosure CVE-2009-0580 Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of user names by supplying illegally URL encoded

Note that making this change may prevent Lambda Probe (popular Tomcat monitoring webapp) to initialise as it cannot determine the Tomcat version. Tomcat 5.5 Download Patch provided by Takayuki Kaneko (pero) Made session createTime accessible for all SessionManager via JMX (pero) Support logging of all response header values at ExtendedAccessLogValve (ex. TLD validation was failing as a result of the use of the escape character (0x1b) as a temporary replacement for \$.

Patch provided by Noah Levitt. (markt) Jasper 43702: Reduce length of unnecessarily long class names for the inner helper class when using simple tags. (markt) 43757: Rather than use string matching

Made the startegy more robust for temporary connection problems (pero) Tomcat 5.5.20 (fhanik)released 2006-09-28 Catalina Fix logic error in UserDatbaseRealm.getprincipal() that caused user roles assigned via groups to be ignored. (markt) Affects: 5.0.0-5.0.30, 5.5.0-5.5.12 Important: Denial of service CVE-2005-3510 The root cause is the relatively expensive calls required to generate the content for the directory listings. This enabled a XSS attack. Apache Tomcat 5.5 20 Vulnerabilities Both files can be found in the webapps/docs subdirectory of a binary distributive.

This was fixed in revisions 1221282, 1224640 and 1228191. To rename the manager webapp, decide on the new name (we'll use foobar in this example), and: Move CATALINA_HOME/conf/Catalina/localhost/manager.xml to CATALINA_HOME/conf/Catalina/localhost/foobar.xml Update the docBase attribute within CATALINA_HOME/conf/Catalina/localhost/foobar.xml to ${catalina.home}/server/webapps/foobar Move CATALINA_HOME/server/webapps/manager Patch provided by Suzuki Yuichiro. (markt) Coyote 38332: Add backlog attribute to ChannelSocket as provided by Takayoshi Kimura. (pero) Backport packetSize feature from Tomcat 6.0.x at standard coyote AJP Jk handler. http://svbuckeye.com/apache-tomcat/apache-tomcat-5-5-20-error-report.php Affects: 6.0.0-6.0.18 released 31 Jul 2008 Fixed in Apache Tomcat 6.0.18 Note: These issues were fixed in Apache Tomcat 6.0.17 but the release vote for that release candidate did not pass.

This directory is used for a variety of temporary files such as the intermediate files generated when compiling JSPs to Servlets. Add support for maxPort attribute on a Connector element as a synonym for channelSocket.maxPort. (kkolinko) Jasper 49935: Handle compilation of recursive tag files. (markt) Cluster Improve sending an access message in FireFox) isn't expecting it. (billbarker) Fix bug in CGI Servlet that caused it to fail when a CGI resource was included in another resource. (markt) Cookie handling/parsing changes! Affects: 5.0.0-5.0.30, 5.5.0-5.5.21 not released Fixed in Apache Tomcat 5.5.21, 5.0.SVN Low: Cross-site scripting CVE-2007-1358 Web pages that display the Accept-Language header value sent by the client are susceptible to a

Patch provided by Tristan Marly. (markt) 37588: Fix creation of JNDI Realm in admin application. Affects: 5.5.0-5.5.35 released 16 Jan 2012 Fixed in Apache Tomcat 5.5.35 Important: Denial of service CVE-2012-0022 Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of This was fixed in revision 1659537. It is a very bad idea to run Tomcat as root, so the options are (in no particular order); Use Apache running on port 80 and mod_jk (or mod_proxy_ajp) to proxy

Also remove requirement that custom error report Valves extend ValveBase. (markt) 41217: Set secure attribute on SSO cookie when cookie is created during a secure request. An alternative character (0xe000) from the unicode private use range is now used. (markt) 41057: Make jsp:plugin output XHTML compliant. (markt) 41327: Show full URI for a 404. This was first reported to the Tomcat security team on 2 Mar 2009 and made public on 4 Jun 2009. This was fixed in revision 1037779.

This was first reported to the Tomcat security team on 01 Feb 2011 and made public on 31 Jan 2011. Although the root cause was quickly identified as a JVM issue and that it affected multiple JVMs from multiple vendors, it was decided to report this as a Tomcat vulnerability until Tomcat provides several session persistence mechanisms. It did not consider the use of quotes or %5C within a cookie value.

This issue was identified by the Tomcat security team on 13 July 2012 and made public on 4 December 2012. This was fixed in revision 747840. This was fixed in revision 1027610. This was identified by the Tomcat security team on 27 Jan 2011 and made public on 5 Feb 2011.