Apache HTTP Server / Tomcat directory traversal

SEC Consult Security Advisory < 20070314-0 >


title: Apache HTTP Server / Tomcat directory traversal

program: Apache HTTP Server / Apache Tomcat

vulnerable version: Apache Tomcat 5.x: < 5.5.22

Apache Tomcat 6.x: < 6.0.10

CVE: CVE-2007-0450

impact: high

homepage: httpd.apache.org


found: 2006-11-27

by: D. Matscheko / SEC-CONSULT / www.sec-consult.com



Vendor description:



The Apache HTTP Server Project is an effort to develop and maintain

an open-source HTTP server for modern operating systems including

UNIX and Windows NT. The goal of this project is to provide a

secure, efficient and extensible server that provides HTTP services

in sync with the current HTTP standards.


[Source: httpd.apache.org]


Apache Tomcat is the servlet container that is used in the official

Reference Implementation for the Java Servlet and JavaServer Pages

technologies. The Java Servlet and JavaServer Pages specifications

are developed by Sun under the Java Community Process.


[Source: tomcat.apache.org]



Vulnerability overview:



If the Apache HTTP Server and Tomcat are configured to interoperate

with the common proxy modules (mod_proxy, mod_rewrite, mod_jk), an

attacker might be able to break out of the intended destination

path up to the webroot in Tomcat.



Vulnerability description:



* The only character found to be accepted as directory separator

from Apache is "/" (slash).

* On the other hand Tomcat allows characters including URI encoded

characters like "/" (slash), "\" (backslash) or "%5C" (backslash

URI encoded).


This allowing an attacker to utilize directory traversing attack



Depending on the configuration HTTP requests, including strings like

"/\../" allow attackers to break out of the given context- and

directory structures.



Example / proof of concept:



As an example an URL like




would point to the Tomcat Manager Application. If the password for

the Tomcat Manager can be guessed, it is possible to deploy new

applications like e.g. a remote command shell.


Note: Using this method, the Tomcat Manager and also other web

applications can be accessed over port 80, even if they are not

proxied by the Apache HTTP Server. Port 8080 (the Tomcat HTTP port)

and 8009 (the Tomcat AJP port) can be and are assumed to be blocked

by a firewall.



Vulnerable versions:



Apache Tomcat < 5.5.22

Apache Tomcat < 6.0.10



Vendor status:



vendor notified: 2007-02-08

vendor response: 2007-02-08

patch available: 2007-02-28

disclosure: 2007-03-14




SEC Consult Unternehmensberatung GmbH


Office Vienna

Blindengasse 3

A-1080 Wien



Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com



SEC Consult conducts periodical information security workshops on ISO

27001/BS 7799 in cooperation with BSI Management Systems. For more

information, please refer to www.sec-consult.com/236.html


EOF David Matscheko / @2007