exploits , vulnerabilities , articles , Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness

Title	Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness
Published	2009-06-03-12:00AM
Updated	2009-06-03-06:49PM
Class	Design Error
CVE	CVE-2009-0580
Remote	Yes
Local	No
Credit	D. Matscheko and T. Hackner of SEC Consult
Vulnerable	Apache Software Foundation Tomcat 6.0.18 Apache Software Foundation Tomcat 6.0.16 Apache Software Foundation Tomcat 6.0.15 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.12 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0 Apache Software Foundation Tomcat 5.5.27 Apache Software Foundation Tomcat 5.5.26 Apache Software Foundation Tomcat 5.5.25 Apache Software Foundation Tomcat 5.5.24 Apache Software Foundation Tomcat 5.5.23 Apache Software Foundation Tomcat 5.5.22 Apache Software Foundation Tomcat 5.5.21 Apache Software Foundation Tomcat 5.5.20 Apache Software Foundation Tomcat 5.5.20 Gentoo Linux 1.4 _rc3 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc1 Gentoo Linux 1.2 Apache Software Foundation Tomcat 5.5.19 Apache Software Foundation Tomcat 5.5.18 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.16 Apache Software Foundation Tomcat 5.5.15 Apache Software Foundation Tomcat 5.5.14 Apache Software Foundation Tomcat 5.5.13 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 4.1.39 Apache Software Foundation Tomcat 4.1.38 Apache Software Foundation Tomcat 4.1.37 Apache Software Foundation Tomcat 4.1.36 Apache Software Foundation Tomcat 4.1.36 Apache Software Foundation Tomcat 4.1.35 Apache Software Foundation Tomcat 4.1.34 Apache Software Foundation Tomcat 4.1.34 Gentoo Linux 1.4 _rc3 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc1 Gentoo Linux 1.2 Apache Software Foundation Tomcat 4.1.32 Apache Software Foundation Tomcat 4.1.31 Apache Software Foundation Tomcat 4.1.30 Apache Software Foundation Tomcat 4.1.29 Apache Software Foundation Tomcat 4.1.28 Apache Software Foundation Tomcat 4.1.24 Gentoo Linux 1.4 _rc3 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc1 Gentoo Linux 1.2 Apache Software Foundation Tomcat 4.1.12 Apache Software Foundation Tomcat 4.1.10 Apache Software Foundation Tomcat 4.1.9 beta Apache Software Foundation Tomcat 4.1.3 beta Apache Software Foundation Tomcat 4.1.3 Apache Software Foundation Tomcat 4.1 Apache Software Foundation Tomcat 4.1 BSDI BSD/OS 4.0 Caldera OpenLinux 2.4 Conectiva Linux 5.1 Debian Linux 2.3 Debian Linux 2.2 Debian Linux 2.1 Digital UNIX 4.0 FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.5 MandrakeSoft Linux Mandrake 7.1 MandrakeSoft Linux Mandrake 7.0 NetBSD NetBSD 1.4.2 x86 NetBSD NetBSD 1.4.1 x86 RedHat Linux 6.2 i386 RedHat Linux 6.1 i386 SGI IRIX 6.5 SGI IRIX 6.4 SGI IRIX 3.3 Sun Solaris 8 Sun Solaris 7.0
Not Vulnerable	Apache Software Foundation Tomcat 6.0.20 Apache Software Foundation Tomcat 5.5.28 Apache Software Foundation Tomcat 4.1.40
Code	Attackers can use readily available tools to exploit this issue.The following example POST data is available:POST /j_security_check HTTP/1.1 Host: www.example.comj_username=tomcat&j_password=%
TXT

Vulnerabilities - newest 10 RSS | More

2009-11-25 Mozilla Firefox and SeaMonkey Download Filename Spoofing Vulnerability
2009-11-25 XM Easy Personal FTP Server File/Folder Remote Denial of Service Vulnerability
2009-11-25 Subscribe to Comments Prior to 2.1 Multiple Unspecified Cross Site Scripting Vulnerabilities
2009-11-25 Mozilla Firefox CVE-2009-3383 Multiple Remote Memory Corruption Vulnerabilities
2009-11-24 Subscribe to Comments WordPress Plugin Multiple Unspecified Input Validation Vulnerabilities
2009-11-24 RETIRED: Microsoft November 2009 Advance Notification Multiple Vulnerabilities
2009-11-24 Cacti Multiple HTML Injection Vulnerabilities
2009-11-24 Philippe Jounin Tftpd32 Connect Frame Denial Of Service Vulnerability
2009-11-24 Microsoft Internet Explorer PDF Generation Information Disclosure Vulnerability
2009-11-23 WordPress WP-Cumulus Plugin Cross-Site Scripting Vulnerability