Vigil@nce - Apache Tomcat: authentication bypass via URL mangling
December 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who must go through authentication via a form, can
append /j_security_check to to URL, in order to bypass the
authentication process.
– Impacted products: Tomcat, Fedora
– Severity: 2/4
– Creation date: 05/12/2012
DESCRIPTION OF THE VULNERABILITY
The URL suffix /j_security_check has a special meaningful in the
authentication process with a form.
Some Tomcat components other than the one in charge of password
check can define the account used to validate accesses for the
remote user (the principal). However, when the requested URL has
this special suffix, these assignments badly interact with the
desire that access to the error pages and login form are always
granted, which leads to premature termination of the credentials
validation.
An attacker who must go through authentication via a form, can
append /j_security_check to to URL, in order to bypass the
authentication process.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-Tomcat-authentication-bypass-via-URL-mangling-12208