![]() NOTE: the vendor disputes the significance of this report, stating that “the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application … as they require a reckless system administrator.” CVE-2013-6357 T10:55:04.190-05:00 6.8 ** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI.Version 1.0 NovemInitial version (TLP:WHITE).TLP:WHITE information may be distributed without restriction, subject to copyright controls. ![]() If in doubt, don’t hesitate to contact CIRCL. You can also use your network or security device to restrict the source IP to required Apache Tomcat administrators. This can be done using the Valve element from Tomcat or directly the Apache configuration To avoid username-password brute forcing of the Tomcat manager interface, we recommend to apply packet filtering It should be safe to block all access on your Firewalls/IPS/DNS to the following domains/IP addresses: ![]() You might use it as a base for reviewing log files.
0 Comments
Leave a Reply. |