Apache Tomcat allowLinking UTF-8 Traversal Arbitrary File Access

Medium Nessus Plugin ID 33866

Synopsis

The remote web server is affected by a directory traversal vulnerability.

Description

The version of Apache Tomcat running on the remote host is affected by a directory traversal vulnerability due to an issue with the UTF-8 charset implementation within the underlying JVM. An unauthenticated, remote attacker can exploit this, by encoding directory traversal sequences as UTF-8 in a request, to view arbitrary files on the remote host.

Note that successful exploitation requires that a context be configured with 'allowLinking' set to 'true' and the connector with 'URIEncoding' set to 'UTF-8', neither of which is a default setting.

Solution

Upgrade to Tomcat 6.0.18 / 5.5.27 / 4.1.SVN or later.

See Also

https://www.securityfocus.com/archive/1/495318/30/0/threaded

https://www.securityfocus.com/archive/1/496168/30/0/threaded

https://www.securityfocus.com/archive/1/499356/30/0/threaded

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-4.html

Plugin Details

Severity: Medium

ID: 33866

File Name: tomcat_utf8_dir_traversal.nasl

Version: 1.27

Type: remote

Family: CGI abuses

Published: 2008/08/12

Updated: 2018/11/15

Dependencies: 11936, 39446

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomcat

Required KB Items: installed_sw/Apache Tomcat

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: false

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 2008/08/11

Exploitable With

CANVAS (D2ExploitPack)

Elliot (Apache Tomcat File Disclosure)

Reference Information

CVE: CVE-2008-2938

BID: 30633

CWE: 22