CVE-2009-0580

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.1.0 through 4.1.39 Apache Tomcat versions 5.5.0 through 5.5.27 Apache Tomcat versions 6.0.0 through 6.0.18

Description The issue allows remote attackers to enumerate valid usernames via requests to "/j security check" with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms. This is possible when FORM authentication is used. The attack can be demonstrated by a % (percent) value for the j password parameter. Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration of user names by supplying illegally URL encoded passwords.

Recommendations For Apache Tomcat versions 4.1.0 through 4.1.39, consider disabling the FORM based authentication with the MemoryRealm until a patch is available. For Apache Tomcat versions 5.5.0 through 5.5.27, restrict access to the "/j security check" endpoint to minimize the risk of exploitation. For Apache Tomcat versions 6.0.0 through 6.0.18, avoid using the j password parameter in the affected API endpoint until the issue is resolved.