Vigil@nce: Apache Tomcat, information disclosure on previous sessions
January 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
In some cases, Apache Tomcat can return to an application data
belonging to the HTTP session of a previous user.
– Severity: 1/4
– Creation date: 17/01/2012
IMPACTED PRODUCTS
– Apache Tomcat
DESCRIPTION OF THE VULNERABILITY
A Tomcat application can use the following methods to obtain
information on the connected client:
– request.getRemoteAddr() : IP address
– request.getRemoteUser() : user name
– request.getRemoteHost() : host name
– etc.
Some of these information can then be included in the HTML page
generated for the client.
Apache Tomcat uses two memory areas to store session information.
However, both areas are not cleared simultaneously. So, data
belonging to the old session are still stored, whereas a new
session has already started.
In some cases, Apache Tomcat can therefore return to an
application data belonging to the HTTP session of a previous user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-Tomcat-information-disclosure-on-previous-sessions-11289