Vigil@nce: Apache Tomcat, information disclosure via WWW-Authenticate
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When a part of the Tomcat website is protected by an
authentication, and if the realm-name directive is not configured,
an attacker can obtain the real name of the server.
– Severity: 1/4
– Creation date: 22/04/2010
DESCRIPTION OF THE VULNERABILITY
When the HTTP Basic/Digest authentication is enabled, Apache
Tomcat returns to the client:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="RealmName" ...
The realm name is taken from the "
web.xml configuration file. However, if this directive is missing,
Tomcat autmatically generates the realm name:
getServerName() + ":" + getServerPort()
The server name (or its IP address) is thus used.
When a part of the Tomcat website is protected by an
authentication, and if the realm-name directive is not configured,
an attacker can therefore obtain the real name of the server.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-Tomcat-information-disclosure-via-WWW-Authenticate-9604