exploits , vulnerabilities , articles , Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness

Title	Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness
Published	2009-06-03-12:00AM
Updated	2009-06-03-06:49PM
Class	Design Error
CVE	CVE-2009-0580
Remote	Yes
Local	No
Credit	D. Matscheko and T. Hackner of SEC Consult
Vulnerable	Apache Software Foundation Tomcat 6.0.18 Apache Software Foundation Tomcat 6.0.16 Apache Software Foundation Tomcat 6.0.15 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.12 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0 Apache Software Foundation Tomcat 5.5.27 Apache Software Foundation Tomcat 5.5.26 Apache Software Foundation Tomcat 5.5.25 Apache Software Foundation Tomcat 5.5.24 Apache Software Foundation Tomcat 5.5.23 Apache Software Foundation Tomcat 5.5.22 Apache Software Foundation Tomcat 5.5.21 Apache Software Foundation Tomcat 5.5.20 Apache Software Foundation Tomcat 5.5.20 Gentoo Linux 1.4 _rc3 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc1 Gentoo Linux 1.2 Apache Software Foundation Tomcat 5.5.19 Apache Software Foundation Tomcat 5.5.18 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.16 Apache Software Foundation Tomcat 5.5.15 Apache Software Foundation Tomcat 5.5.14 Apache Software Foundation Tomcat 5.5.13 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 4.1.39 Apache Software Foundation Tomcat 4.1.38 Apache Software Foundation Tomcat 4.1.37 Apache Software Foundation Tomcat 4.1.36 Apache Software Foundation Tomcat 4.1.36 Apache Software Foundation Tomcat 4.1.35 Apache Software Foundation Tomcat 4.1.34 Apache Software Foundation Tomcat 4.1.34 Gentoo Linux 1.4 _rc3 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc1 Gentoo Linux 1.2 Apache Software Foundation Tomcat 4.1.32 Apache Software Foundation Tomcat 4.1.31 Apache Software Foundation Tomcat 4.1.30 Apache Software Foundation Tomcat 4.1.29 Apache Software Foundation Tomcat 4.1.28 Apache Software Foundation Tomcat 4.1.24 Gentoo Linux 1.4 _rc3 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc1 Gentoo Linux 1.2 Apache Software Foundation Tomcat 4.1.12 Apache Software Foundation Tomcat 4.1.10 Apache Software Foundation Tomcat 4.1.9 beta Apache Software Foundation Tomcat 4.1.3 beta Apache Software Foundation Tomcat 4.1.3 Apache Software Foundation Tomcat 4.1 Apache Software Foundation Tomcat 4.1 BSDI BSD/OS 4.0 Caldera OpenLinux 2.4 Conectiva Linux 5.1 Debian Linux 2.3 Debian Linux 2.2 Debian Linux 2.1 Digital UNIX 4.0 FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.5 MandrakeSoft Linux Mandrake 7.1 MandrakeSoft Linux Mandrake 7.0 NetBSD NetBSD 1.4.2 x86 NetBSD NetBSD 1.4.1 x86 RedHat Linux 6.2 i386 RedHat Linux 6.1 i386 SGI IRIX 6.5 SGI IRIX 6.4 SGI IRIX 3.3 Sun Solaris 8 Sun Solaris 7.0
Not Vulnerable	Apache Software Foundation Tomcat 6.0.20 Apache Software Foundation Tomcat 5.5.28 Apache Software Foundation Tomcat 4.1.40
Code	Attackers can use readily available tools to exploit this issue.The following example POST data is available:POST /j_security_check HTTP/1.1 Host: www.example.comj_username=tomcat&j_password=%
TXT

Vulnerabilities - newest 10 RSS | More

• 2009-11-24 Subscribe to Comments WordPress Plugin Multiple Unspecified Input Validation Vulnerabilities
• 2009-11-24 RETIRED: Microsoft November 2009 Advance Notification Multiple Vulnerabilities
• 2009-11-24 Cacti Multiple HTML Injection Vulnerabilities
• 2009-11-24 Philippe Jounin Tftpd32 Connect Frame Denial Of Service Vulnerability
• 2009-11-24 Microsoft Internet Explorer PDF Generation Information Disclosure Vulnerability
• 2009-11-23 WordPress WP-Cumulus Plugin Cross-Site Scripting Vulnerability
• 2009-11-23 Fuctweb CapCC Plugin for WordPress CAPTCHA Security Bypass Vulnerability
• 2009-11-23 FireStats WordPress Plugin Multiple Cross Site Scripting and Authentication Bypass Vulnerabilities
• 2009-11-23 WP Contact Form WordPress Plugin Multiple HTML Injection Vulnerabilities
• 2009-11-23 WP Contact Form WordPress Plugin Security Bypass and Multiple HTML Injection Vulnerabilities

• Vulnerabilities
• Exploits
• News
• Articles

Copyright 2007, SecurityDot
Wed, 25 Nov 2009 16:01:55 +0000