Apache Tomcat 5.0.x <= 5.0.30 / 5.5.x < 5.5.25 Multiple Vulnerabilities

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote Apache Tomcat service may be affected by multiple
vulnerabilities.

Description :

According to its self-reported version number, the Apache Tomcat
install listening on this port is 5.0.x equal to or earlier than
5.0.30 or 5.5.x earlier than 5.5.25 and, as such, may be affected by
multiple vulnerabilities :

- An error exists in several JSP example files that allows
script injection via URLs using the '
' character.
(CVE-2007-2449)

- The Manager and Host Manager applications do not
properly sanitize the 'filename' parameter of the
'/manager/html/upload' script, which can lead to cross-
site scripting attacks. (CVE-2007-2450)

- An error exists in the handling of cookie values
containing single quotes which Tomcat treats as
delimiters. This can allow disclosure of sensitive
information such as session IDs. (CVE-2007-3382)

- An error exists in the handling of cookie values
containing backslashes which Tomcat treats as
delimiters. This can allow disclosure of sensitive
information such as session IDs. (CVE-2007-3385)

- An error exists in the Host Manager application which
allows script injection. (CVE-2007-3386)

Note that Nessus did not actually test for the flaws but instead has
relied on the version in Tomcat's banner or error page so this may be
a false positive.

Also note, in the case of 5.0.x versions, the issues have been fixed
by SVN revision number 588821.

See also :

http://www.nessus.org/u?1a40289c
http://archives.neohapsis.com/archives/bugtraq/2007-06/0181.html
http://archives.neohapsis.com/archives/bugtraq/2007-06/0183.html
http://archives.neohapsis.com/archives/bugtraq/2007-08/0190.html
http://archives.neohapsis.com/archives/bugtraq/2007-08/0191.html
http://archives.neohapsis.com/archives/bugtraq/2007-10/0102.html

Solution :

Update Apache Tomcat to a version greater than 5.5.25 or use the
latest SVN source for 5.0.x.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 51059 ()

Bugtraq ID: 24475
24476
25314
25316

CVE ID: CVE-2007-2449
CVE-2007-2450
CVE-2007-3382
CVE-2007-3385
CVE-2007-3386