Apache Tomcat 5.0.x <= 5.0.30 / 5.5.x < 5.5.23 Content-Length HTTP Request Smuggling

This script is Copyright (C) 2011-2013 Tenable Network Security, Inc.


Synopsis :

The remote web server is potentially affected by an HTTP request
smuggling vulnerability.

Description :

According to its self-reported version number, the instance of Apache
Tomcat listening on the remote host is 5.0.x equal to or earlier than
5.0.30 or 5.5.x earlier than 5.5.23. It is, therefore, potentially
affected by an HTTP request smuggling vulnerability.

Requests containing multiple 'content-length' headers are not rejected
as invalid. This error can allow web-cache poisoning, cross-site
scripting attacks and information disclosure.

Note that Nessus did not actually test for the flaw but instead has
relied on the version in Tomcat's banner or error page so this may be
a false positive.

Also note, in the case of 5.0.x versions, the issue has been fixed by
SVN revision number 513079.

See also :

http://www.nessus.org/u?bb925ad2
http://marc.info/?l=tomcat-dev&m=120155101522062&w=2
http://marc.info/?l=tomcat-dev&m=117270879831613&w=2

Solution :

Update Apache Tomcat to version 5.5.23 or later, or use the latest
SVN source for 5.0.x.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 17727 ()

Bugtraq ID: 13873

CVE ID: CVE-2005-2090