Users of tomcat5 please be advised of an Information Disclosure vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)
Amplify’d from www.criticalwatch.com
MDVSA-2010:176: [MDVSA-2010:176] tomcat5 Information Disclosure
Problem Description:
Multiple vulnerabilities has been found and corrected in tomcat5:
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0
through 4.1.36 does not properly handle (1) double quote (") characters
or (2) %5C (encoded backslash) sequences in a cookie value, which
might cause sensitive information such as session IDs to be leaked
to remote attackers and enable session hijacking attacks. NOTE:
this issue exists because of an incomplete fix for CVE-2007-3385
(CVE-2007-5333).
Read more at www.criticalwatch.com
See this Amp at http://bit.ly/aKKgnx
No comments:
Post a Comment