Vigil@nce: Apache Tomcat, reading posted data
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When Apache Tomcat displays posted HTTP data, an attacker can
obtain fragments of previously posted data.
Gravity: 2/4
Consequences: data reading
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 26/02/2009
IMPACTED PRODUCTS
– Apache Tomcat
DESCRIPTION OF THE VULNERABILITY
The getPOSTBody() method of the org.apache.catalina.connector.Request
class is used to retrieve HTTP data posted on Apache Tomcat. This
method uses doRead() of org.apache.coyote.http11.filters.SavedRequestInputFilter
when a filter (or a valve) is configured.
However, the doRead() method does not correctly check the end of
posted data, and can thus return more data. These additional data
come from previous HTTP posts.
If an application displays posted data, and uses a Filter/Valve,
an attacker can therefore post his own data. The application then
displays attacker’s data followed by fragments of previous HTTP
POST queries.
CHARACTERISTICS
Identifiers: 40771, BID-33913, CVE-2008-4308, VIGILANCE-VUL-8495
http://vigilance.fr/vulnerability/Apache-Tomcat-reading-posted-data-8495