Author: markt Date: Wed Jun 3 13:58:22 2009 New Revision: 781379 URL: http://svn.apache.org/viewvc?rev=781379&view=rev Log: Fix NPE / information disclosure issue that allowed user enumeration with FORM auth. This is CVE-2009-0580.
Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java tomcat/container/tc5.5.x/webapps/docs/changelog.xml Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java?rev=781379&r1=781378&r2=781379&view=diff ============================================================================== --- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java (original) +++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java Wed Jun 3 13:58:22 2009 @@ -270,8 +270,9 @@ */ public Principal authenticate(String username, String credentials) { - // No user - can't possibly authenticate, don't bother the database then - if (username == null) { + // No user or no credentials + // Can't possibly authenticate, don't bother the database then + if (username == null || credentials == null) { return null; } Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java?rev=781379&r1=781378&r2=781379&view=diff ============================================================================== --- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java Wed Jun 3 13:58:22 2009 @@ -393,9 +393,10 @@ String username, String credentials) { - // No user - can't possibly authenticate - if (username == null) { - return (null); + // No user or no credentials + // Can't possibly authenticate, don't bother the database then + if (username == null || credentials == null) { + return null; } // Look up the user's credentials Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java?rev=781379&r1=781378&r2=781379&view=diff ============================================================================== --- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java (original) +++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java Wed Jun 3 13:58:22 2009 @@ -147,7 +147,7 @@ (GenericPrincipal) principals.get(username); boolean validated = false; - if (principal != null) { + if (principal != null && credentials != null) { if (hasMessageDigest()) { // Hex hashes should be compared case-insensitive validated = (digest(credentials) Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=781379&r1=781378&r2=781379&view=diff ============================================================================== --- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original) +++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Wed Jun 3 13:58:22 2009 @@ -76,6 +76,11 @@ logging at the context level but the security policy prevents this. (markt/rjung) </fix> + <fix> + Fix an information disclosure vulnerability in a number of the Realms + that allowed user enumeration when using FORM authentication. This is + CVE-2009-0580. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org