Vulnerabilities > CVE-2005-3164 - Information Exposure vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
hitachi
apache
CWE-200
nessus
NVD
Published: 2005-10-06
Updated: 2023-11-07

Summary

The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when "unsuitable request body data" is used for a different request, possibly related to Java Servlet pages.

Vulnerable Configurations

Part Description Count
Application
Hitachi
4
Application
Apache
42

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyWeb Servers
    NASL idTOMCAT_4_1_37.NASL
    descriptionAccording to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is prior to 4.1.37. It is, therefore, affected by the following vulnerabilities : - The remote Apache Tomcat install may be vulnerable to an information disclosure attack if the deprecated AJP connector processes a client request having a non-zero Content-Length and the client disconnects before sending the request body. (CVE-2005-3164) - The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the JSP and Servlet examples are enabled. Several of these examples do not properly validate user input. (CVE-2007-1355, CVE-2007-2449) - The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the Manager web application is enabled as it fails to escape input data. (CVE-2007-2450) - The remote Apache Tomcat install may be vulnerable to an information disclosure attack via cookies. Apache Tomcat treats the single quote character in a cookie as a delimiter which can lead to information, such as session ID, to be disclosed. (CVE-2007-3382) - The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the SendMailServlet is enabled. The SendMailServlet is a part of the examples web application and, when reporting error messages, fails to escape user provided data. (CVE-2007-3383) - The remote Apache Tomcat install may be vulnerable to an information disclosure attack via cookies. The previous fix for CVE-2007-3385 was incomplete and did not account for the use of quotes or
    last seen2020-03-18
    modified2010-06-16
    plugin id47030
    published2010-06-16
    reporterThis script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47030
    titleApache Tomcat 4.x < 4.1.37 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(47030);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/11");

  script_cve_id(
    "CVE-2005-3164",
    "CVE-2007-1355",
    "CVE-2007-2449",
    "CVE-2007-2450",
    "CVE-2007-3382",
    "CVE-2007-3383",
    "CVE-2007-3385",
    "CVE-2007-5333",
    "CVE-2007-5461"
  );
  script_bugtraq_id(
    15003,
    24058,
    24475,
    24476,
    24999,
    25316,
    26070,
    27706
  );
  script_xref(name:"Secunia", value:"25678");
  script_xref(name:"Secunia", value:"26466");
  script_xref(name:"Secunia", value:"28878");
  script_xref(name:"Secunia", value:"27398");

  script_name(english:"Apache Tomcat 4.x < 4.1.37 Multiple Vulnerabilities");
  script_summary(english:"Checks the Apache Tomcat version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Apache Tomcat server is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the instance of Apache
Tomcat 4.x listening on the remote host is prior to 4.1.37. It is,
therefore, affected by the following vulnerabilities :

  - The remote Apache Tomcat install may be vulnerable to an
    information disclosure attack if the deprecated AJP
    connector processes a client request having a non-zero
    Content-Length and the client disconnects before
    sending the request body. (CVE-2005-3164)

  - The remote Apache Tomcat install may be vulnerable to
    a cross-site scripting attack if the JSP and Servlet
    examples are enabled. Several of these examples do
    not properly validate user input.
    (CVE-2007-1355, CVE-2007-2449)

  - The remote Apache Tomcat install may be vulnerable to
    a cross-site scripting attack if the Manager web
    application is enabled as it fails to escape input
    data. (CVE-2007-2450)

  - The remote Apache Tomcat install may be vulnerable to an
    information disclosure attack via cookies. Apache Tomcat
    treats the single quote character in a cookie as a
    delimiter which can lead to information, such as session
    ID, to be disclosed. (CVE-2007-3382)

  - The remote Apache Tomcat install may be vulnerable to
    a cross-site scripting attack if the SendMailServlet is
    enabled. The SendMailServlet is a part of the examples
    web application and, when reporting error messages,
    fails to escape user provided data. (CVE-2007-3383)

  - The remote Apache Tomcat install may be vulnerable to an
    information disclosure attack via cookies. The previous
    fix for CVE-2007-3385 was incomplete and did not account
    for the use of quotes or '%5C' in cookie values.
    (CVE-2007-3385, CVE-2007-5333)

  - The remote Apache Tomcat install may be vulnerable to an
    information disclosure attack via the WebDAV servlet.
    Certain WebDAV requests, containing an entity with a
    SYSTEM tag, can result in the disclosure of arbitrary
    file contents. (CVE-2007-5461)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number..");
  script_set_attribute(attribute:"see_also", value:"http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.37");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/469067/100/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/471351/100/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/471357/100/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/476442/100/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/474413/100/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/476444/100/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/487822/100/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded");
  script_set_attribute(attribute:"solution", value:"Upgrade to Apache Tomcat version 4.1.37 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2005-3164");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(22, 79, 200);

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2008/02/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/16");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
  script_set_attribute(attribute:"agent", value:"all");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
  script_require_keys("installed_sw/Apache Tomcat");

  exit(0);
}

include("tomcat_version.inc");

tomcat_check_version(fixed:"4.1.37", min:"4.0.0", severity:SECURITY_WARNING, xss:TRUE, granularity_regex:"^4(\.1)?$");
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_4.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.4. Mac OS X 10.5.4 contains security fixes for multiple components.
    last seen2020-06-01
    modified2020-06-02
    plugin id33281
    published2008-07-01
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33281
    titleMac OS X 10.5.x < 10.5.4 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);
if ( NASL_LEVEL < 3004 ) exit(0);



include("compat.inc");

if (description)
{
  script_id(33281);
  script_version("1.22");
  script_cvs_date("Date: 2018/07/14  1:59:35");

  script_cve_id("CVE-2005-3164", "CVE-2007-1355", "CVE-2007-2449", "CVE-2007-2450", "CVE-2007-3382",
                "CVE-2007-3383", "CVE-2007-3385", "CVE-2007-5333", "CVE-2007-5461", "CVE-2007-6276",
                "CVE-2008-0960", "CVE-2008-1105", "CVE-2008-1145", "CVE-2008-2307", "CVE-2008-2308",
                "CVE-2008-2309", "CVE-2008-2310", "CVE-2008-2311", "CVE-2008-2313", "CVE-2008-2314",
                "CVE-2008-2662", "CVE-2008-2663", "CVE-2008-2664", "CVE-2008-2725", "CVE-2008-2726");
  script_bugtraq_id(15003, 24058, 24475, 24476, 24999, 25316, 26070, 26699, 27706,
                    28123, 29404, 29623, 29836, 30018);
  script_xref(name:"Secunia", value:"30802");

  script_name(english:"Mac OS X 10.5.x < 10.5.4 Multiple Vulnerabilities");
  script_summary(english:"Check the version of Mac OS X");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a Mac OS X update that fixes various
security issues." );
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of Mac OS X 10.5.x that is prior
to 10.5.4. 

Mac OS X 10.5.4 contains security fixes for multiple components.");
  script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT2163" );
  script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Jun/msg00002.html" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mac OS X 10.5.4 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
  script_cwe_id(22, 59, 79, 119, 134, 189, 200, 264, 287, 362, 399);

  script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/01");
  script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/30");
  script_set_attribute(attribute:"patch_publication_date", value: "2008/06/30");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");
  script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  exit(0);
}


os = get_kb_item("Host/MacOSX/Version");
if (!os) os = get_kb_item("Host/OS");
if (!os) exit(0);

if (ereg(pattern:"Mac OS X 10\.5\.[0-3]([^0-9]|$)", string:os)) security_hole(0);
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-004.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-004 applied. This update contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id33282
    published2008-07-01
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33282
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-004)
    code
    #
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);
if ( NASL_LEVEL < 3004 ) exit(0);



include("compat.inc");

if (description)
{
  script_id(33282);
  script_version("1.26");
  script_cvs_date("Date: 2018/07/14  1:59:35");

  script_cve_id("CVE-2005-3164", "CVE-2007-1355", "CVE-2007-2449", "CVE-2007-2450", "CVE-2007-3382",
                "CVE-2007-3383", "CVE-2007-3385", "CVE-2007-5333", "CVE-2007-5461", "CVE-2007-6276",
                "CVE-2008-0960", "CVE-2008-1105", "CVE-2008-1145", "CVE-2008-2307", "CVE-2008-2308",
                "CVE-2008-2309", "CVE-2008-2310", "CVE-2008-2311", "CVE-2008-2313", "CVE-2008-2314",
                "CVE-2008-2662", "CVE-2008-2663", "CVE-2008-2664", "CVE-2008-2725", "CVE-2008-2726");
  script_bugtraq_id(15003, 24058, 24475, 24476, 24999, 25316, 26070, 26699, 27706, 28123, 29404, 29623, 29836, 30018);
  script_xref(name:"Secunia", value:"30802");

  script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2008-004)");
  script_summary(english:"Check for the presence of Security Update 2008-004");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a Mac OS X update that fixes various
security issues." );
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of Mac OS X 10.4 that does not
have the security update 2008-004 applied. 

This update contains security fixes for a number of programs." );
  script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT2163" );
  script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Jun/msg00002.html" );
  script_set_attribute(attribute:"solution", value:
"Install Security Update 2008-004 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
  script_cwe_id(22, 59, 79, 119, 134, 189, 200, 264, 287, 362, 399);

  script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/01");
  script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/30");
  script_set_attribute(attribute:"patch_publication_date", value: "2008/06/30");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");
  script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/MacOSX/packages", "Host/uname");
  exit(0);
}

#

uname = get_kb_item("Host/uname");
if (!uname) exit(0);

if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname))
{
  packages = get_kb_item("Host/MacOSX/packages");
  if (!packages) exit(0);

  if (!egrep(pattern:"^SecUpd(Srvr)?(2008-00[4-8]|2009-|20[1-9][0-9]-)", string:packages))
    security_hole(0);
}

References