行政院國家資通安全會報技術服務中心

Apache HTTP servers Tomcat有容易被Directory Traversal攻擊的漏洞


概述:使用Tomcat servlet的Apache HTTP server有容易被攻擊者進行Directory Traversal攻擊的漏洞,因為應用程式無法有效對使用者的輸入做安全處理。攻擊者可以利用此漏洞讀取Tomcat webroot中的任意檔案,可能造成敏感資料的外洩,攻擊者可能利用此敏感資料進行其他的攻擊。漏洞編號:Bugtraq ID:22960
CVE編號:CVE-2007-0450
影響平台:S.u.S.E. SUSE Linux Enterprise Server 10
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 10.2 x86_64
S.u.S.E. Linux Professional 10.2
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 10.2 x86_64
S.u.S.E. Linux Personal 10.2
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Enterprise Server 9
Apache Tomcat 6.0.9
Apache Tomcat 6.0.8
Apache Tomcat 6.0.7
Apache Tomcat 6.0.6
Apache Tomcat 6.0.5
Apache Tomcat 6.0.4
Apache Tomcat 6.0.3
Apache Tomcat 6.0.2
Apache Tomcat 6.0.1
Apache Tomcat 5.5.22
Apache Tomcat 5.5.21
Apache Tomcat 5.5.20
Apache Tomcat 5.5.19
Apache Tomcat 5.5.18
Apache Tomcat 5.5.17
Apache Tomcat 5.5.16
Apache Tomcat 5.5.15
Apache Tomcat 5.5.14
Apache Tomcat 5.5.13
Apache Tomcat 5.5.12
Apache Tomcat 5.5.11
Apache Tomcat 5.5.10
Apache Tomcat 5.5.9
Apache Tomcat 5.5.8
Apache Tomcat 5.5.7
Apache Tomcat 5.5.6
Apache Tomcat 5.5.5
Apache Tomcat 5.5.4
Apache Tomcat 5.5.3
Apache Tomcat 5.5.2
Apache Tomcat 5.5.1
Apache Tomcat 5.5
Apache Tomcat 5.4
Apache Tomcat 5.3
Apache Tomcat 5.2
Apache Tomcat 5.1
Apache Tomcat 5.0
影響狀況:
資訊洩漏
漏洞說明:
使用Tomcat servlet的Apache HTTP server有容易被攻擊者進行Directory Traversal攻擊的漏洞,因為應用程式無法有效對使用者的輸入做安全處理。攻擊者可以利用此漏洞讀取Tomcat webroot中的任意檔案,可能造成敏感資料的外洩,攻擊者可能利用此敏感資料進行其他的攻擊。
解決方案:
廠商已經推出5.5.22 和 6.0.10的版本修正此漏洞,請參考下列網址以獲得更多資訊:
Apache Tomcat 5.0
Apache Tomcat 5.1
Apache Tomcat 5.2
Apache Tomcat 5.3
Apache Tomcat 5.4
Apache Tomcat 5.5
Apache Tomcat 5.5.1
Apache Tomcat 5.5.10
Apache Tomcat 5.5.11
Apache Tomcat 5.5.12
Apache Tomcat 5.5.13
Apache Tomcat 5.5.14
Apache Tomcat 5.5.15
Apache Tomcat 5.5.16
Apache Tomcat 5.5.17
Apache Tomcat 5.5.18
Apache Tomcat 5.5.19
Apache Tomcat 5.5.2
Apache Tomcat 5.5.20
Apache Tomcat 5.5.21
Apache Tomcat 5.5.22
Apache Tomcat 5.5.3
Apache Tomcat 5.5.4
Apache Tomcat 5.5.5
Apache Tomcat 5.5.6
Apache Tomcat 5.5.7
Apache Tomcat 5.5.8
Apache Tomcat 5.5.9
Apache apache-tomcat-5.5.23.tar.gz
http://gulus.usherbrooke.ca/pub/appl/apache/tomcat/tomcat-5/v5.5.23/bi n/apache-tomcat-5.5.23.tar.gz
Apache Tomcat 6.0.1
Apache Tomcat 6.0.2
Apache Tomcat 6.0.3
Apache Tomcat 6.0.4
Apache Tomcat 6.0.5
Apache Tomcat 6.0.6
Apache Tomcat 6.0.7
Apache Tomcat 6.0.8
Apache Tomcat 6.0.9
Apache apache-tomcat-6.0.10.tar.gz
http://apache.mirror.rafal.ca/tomcat/tomcat-6/v6.0.10/bin/apache-tomca t-6.0.10.tar.gz
參考資料:
securityfocus.com
http://www.securityfocus.com/bid/22960

Reference

SecurityFocus
Publish Date
2007/7/2 0:00:00