A vulnerability has been identified in Apache Tomcat, which could be exploited by attackers to bypass security restrictions and gain knowledge of sensitive information. This issue is caused by an error when normalising the target path while using a RequestDispatcher obtained from the Request, which could allow attackers to bypass certain security constraints and access content contained in the "WEB-INF" directory by sending a specially crafted request parameter to a vulnerable server.

Affected Products

Apache Tomcat versions 4.1.0 through 4.1.39
Apache Tomcat versions 5.5.0 through 5.5.27
Apache Tomcat versions 6.0.0 through 6.0.18

Solution

Upgrade to Apache Tomcat version 6.0.20 :
http://tomcat.apache.org/download-60.cgi

Upgrade to Apache Tomcat version 5.5.SVN :
http://svn.apache.org/viewvc?rev=782757&view=rev

Upgrade to Apache Tomcat version 4.1.SVN :
http://svn.apache.org/viewvc?rev=782763&view=rev

References

http://www.vupen.com/english/advisories/2009/1520
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
http://marc.info/?l=tomcat-dev&m=124449799021570&w=2

Credits

Vulnerability reported by Iida Minehiko (Fujitsu Limited).

Changelog

2009-06-09 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.