Computer Security
[EN] securityvulns.ru no-pyccku


Apache Tomcat directory traversal
Published:14.03.2007
Source:
SecurityVulns ID:7403
Type:remote
Threat Level:
6/10
Description:It's possible to traverse directories with /\../.
Affected:APACHE : Tomcat 5.5
 APACHE : Tomcat 6.0
 APACHE : mod_jk 1.2
CVE:CVE-2007-1860 (mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.)
 CVE-2007-0450 (Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.)
Original documentdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversal (14.03.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod