CVE-2007-1860 Information
Description
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat which allows remote attackers to access protected pages via a crafted prefix JkMount possibly involving double-encoded .. (dot dot) sequences and directory traversal a related issue to CVE-2007-0450.
Reference
http://docs.info.apple.com/article.html?artnum=306172 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/25383 http://secunia.com/advisories/25701 http://secunia.com/advisories/26235 http://secunia.com/advisories/26512 http://secunia.com/advisories/27037 http://secunia.com/advisories/29242 http://security.gentoo.org/glsa/glsa-200708-15.xml http://tomcat.apache.org/connectors-doc/news/20070301.html20070518.1 http://tomcat.apache.org/security-jk.html http://www.debian.org/security/2007/dsa-1312 http://www.osvdb.org/34877 http://www.redhat.com/support/errata/RHSA-2007-0379.html http://www.redhat.com/support/errata/RHSA-2008-0261.html http://www.securityfocus.com/bid/24147 http://www.securityfocus.com/bid/25159 http://www.securitytracker.com/id?1018138 http://www.vupen.com/english/advisories/2007/1941 http://www.vupen.com/english/advisories/2007/2732 http://www.vupen.com/english/advisories/2007/3386 https://exchange.xforce.ibmcloud.com/vulnerabilities/34496 https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@3Cdev.tomcat.apache.org3E https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A6002
Share on: