OSVDB ID: 34877

Title: Apache Tomcat JK Web Server Connector (mod_jk) Double Encoded Traversal Arbitrary File Access

Info

Disclosure
May 24, 2007

Discovery
Unknown

Dates

Exploit
Unknown

Solution
Unknown

Description

 Apache Tomcat JK Web Server Connector contains a flaw that allows a remote attacker to access files on the AJP back-end outside of the web root. The issue is due to a failure of handling double encoded ".." in a URL, specifically directory traversal style attacks.

Classification

 Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

 Upgrade to version 1.2.23 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Apache Software Foundation

Tomcat JK Web Server Connector

 1.2.22
1.2.21
1.2.20
1.2.19
1.2.18
1.2.17
1.2.16
1.2.15
1.2.14
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0

References

Credit
  • Kazu Nambo -


Direct URL: http://osvdb.org/34877