When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was therefore possible for a user to determine if a directory existed or not, even if the user was not permitted to view the directory. The issue also occurred at the root of a web application in which case the presence of the web application was confirmed, even if a user did not have access. External references: http://seclists.org/bugtraq/2016/Feb/146
Upstream patches: Tomcat6: http://svn.apache.org/viewvc?view=revision&revision=1715216 http://svn.apache.org/viewvc?view=revision&revision=1717216 Tomcat7: http://svn.apache.org/viewvc?view=revision&revision=1715213 http://svn.apache.org/viewvc?view=revision&revision=1717212 http://svn.apache.org/viewvc?view=revision&revision=1716860 Tomcat8: http://svn.apache.org/viewvc?view=revision&revision=1715207 http://svn.apache.org/viewvc?view=revision&revision=1717209
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.0.3 Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088
This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html