39833 : Apache Tomcat JULI Logging Component catalina.policy Security Bypass
Printer | http://osvdb.org/39833 | Email This | Edit Vulnerability

Views This Week

2

Views All Time

113

Info

Last Modified

9 months ago

Percent Complete

0%

Disclosure

Dec 23, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

This Entry needs help! It is only 0% Complete. Click the edit link above to add more information.

Contributing is fast and easy, and benefits the entire security community.

Keywords

Description

(Description Provided by CVE) : The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

Classification

Unknown or Incomplete

Products

Unknown or Incomplete

References

CVE ID: 2007-5342 (see also: NVD)
Bugtraq ID: 27006
Secunia Advisory ID: 28274 28915 29313 29711 30676 32120 32222 32266 33978
ISS X-Force ID: 39201
FrSIRT Advisory: ADV-2008-0013
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-12/0284.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0347.html
Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
http://sourceforge.net/project/shownotes.php?release_id=626903&group_id=144774
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
Other Advisory URL: http://securityreason.com/securityalert/3485
http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm
http://svn.apache.org/viewvc?view=rev&revision=606594
http://www.gentoo.org/security/en/glsa/glsa-200804-10.xml
http://www.vmware.com/security/advisories/VMSA-2008-0010.html
https://rhn.redhat.com/errata/RHSA-2008-0042.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.ht ......
Vendor Specific Advisory URL: http://support.apple.com/kb/HT3216
https://rhn.redhat.com/errata/RHSA-2008-0862.html

Tools & Filters

Nessus	29856 31062 31074 31338 31957

Credit

Unknown or Incomplete

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

User Status

Account
- Login
- Sign-Up

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use