Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

RE: security hole on windows Apache -> Tomcat?

Angus Mezick

2003-08-13


Ok. I have this problem but it isn't tomcat that is doing the serving
of the JSP source. It is apache. This is my workers2.properties uri
section:


[uri:www.SITENAME.org/*.jsp]
group=lbWWW
[uri:www.SITENAME.org/*.adp]
group=lbWWW
[uri:www.SITENAME.org/*.inc]
group=lbWWW
[uri:www.SITENAME.org/servlet/*]
group=lbWWW
[uri:www.SITENAME.org/*.gs]
group=lbWWW


I am guessing the problem is because
http://www.SITENAME.org/index.jsp%20 is not a match for
http://www.SITENAME.org/*.jsp (that trailing space messes stuff up.
Should I just create a RedirectMatch for this case that removes all
trailing whitespace? Would mod_rewrite be better for this? I am using
this list for this question because I KNOW the apache list doesn't want
tomcat integration questions.
--Angus


> -----Original Message-----
> From: Jeff Tulley [mailto:JTULLEY@(protected)]
> Sent: Tuesday, August 12, 2003 9:14 PM
> To: tomcat-user@(protected)
> Subject: Re: security hole on windows tomcat?
>
>
> I've verified that this workaround stops the problem on Win XP's 1.4.2
> and on NetWare's 1.4.2
>
> Jeff Tulley (jtulley@(protected))
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com
>
> >>> jfarcand@(protected) >>>
> Sorry I've just realize this thread may be related to bugtraq
> #4895132
>
> (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The
> workaround
> is to add the following property when starting Tomcat:
>
> -Dsun.io.useCanonCaches=false
>
> Can someone try it and let me know if it change something. If this is
> not working, then point me to a very simple test case and I
> will file a
>
> new bugtraq bug.
>
> -- Jeanfrancois
>
>
> Eric J. Pinnell wrote:
>
> >I think at this point this might be a worthwile canidate for Sun's
> >bugparade. At least get it on their radars (if they don't know about
> it
> >already). It's interesting that the bug doesn't show up in Tomcat
> 4.1.27.
> >When 1.4.2 was released 4.1.24 was the latest stable build.
> >
> >Regardless the JDK/appserver/whatever should never puke it's guts and
> spit
> >out the source code when it gets a request it doesn't know how to
> deal
> >with. Upon failure it should result in some kind of error. Sun
> might
> >care about this...
> >
> >-e
> >
> >On Tue, 12 Aug 2003, Jeff Tulley wrote:
> >
> >
> >
> >>It is highly possible that this is dependent on the JVM you have
> >>installed. I actually finally WAS able to see this on Windows XP,
> but
> >>only if Tomcat was running on JVM 1.4.2. The problem did NOT happen
> >>with 1.4.1. Of course, JVM version is the one item I left off of my
> >>"poll" in my email below. :)
> >>
> >>I'm trying to verify this on other OS's and track down what the
> actual
> >>problem is.
> >>
> >>But, if you run Tomcat on JVM 1.4.2, verify if you have this
> problem.
> >>
> >>Jeff Tulley (jtulley@(protected))
> >>(801)861-5322
> >>Novell, Inc., The Leading Provider of Net Business Solutions
> >>http://www.novell.com
> >>
> >>  
> >>
> >>>>>mpnix@(protected) >>>
> >>>>>      
> >>>>>
> >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost
> via
> >>either port 8080 or port 80 - pages return fine without the %20
> >>suffix,
> >>always return http 404 with the suffix.
> >>
> >>Murray
> >>-----Original Message-----
> >>From: Jeff Tulley [mailto:JTULLEY@(protected)]
> >>Sent: Wednesday, 13 August 2003 02:41
> >>To: tomcat-user@(protected)
> >>Subject: RE: security hole on windows tomcat?
> >>
> >>
> >>So this issue is confusing. It seems that indeed there IS an issue,
> >>though most cannot see a problem.
> >>Talking to some people off-list, it seems that some think it is a
> JK2
> >>/
> >>workers2.properties issue. But I'm pretty sure that others have
> seen
> >>this going directly to port 8080.
> >>We probably need to take a quick poll:
> >>
> >>If you have seen this security problem of being able to view JSP
> >>source, in what scenario(s)?
> >>
> >>Tomcat version
> >>OS version
> >>Directly to Tomcat ("8080") or through Apache - JK or JK2?
> >>(If you've seen the problem, please include your workers or
> >>workers2.properties file, with a .txt extension)
> >>Browser version(s)
> >>url's where this was seen or not seen
> >>
> >>If you have seen this in multiple scenarios, and not in others,
> please
> >>list each separately.
> >>
> >>
> >>I have NOT seen it in the following scenarios:
> >>
> >>Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27
> >>Windows 2000 5.00.2195 Service Pack 4
> >>Directly to port 8080
> >>Internet Explorer 6.0.2800.1106 with all security patches up to date
> >>I tried http://(url):8080/index.jsp%20
> >>
> >>Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only
> >>adding one JNDIRealm beyond the default config)
> >>Novell NetWare 6.5
> >>Directly to port 8080, and through Apache - mod_jk.nlm
> >>Internet Explorer 6.0.2800.1106 with all security patches up to date
> >>I tried http://(url):8080/index.jsp%20 and
> >>https://(url)/tomcat/admin/index.jsp%20
> >>
> >>
> >>Hopefully this mail gets through; I haven't been seeing my emails
> show
> >>up on tomcat-user for some reason (I un/resubscribed today...)
> >>
> >>It would be really good to get to the bottom of this!
> >>
> >>Jeff Tulley (jtulley@(protected))
> >>(801)861-5322
> >>Novell, Inc., The Leading Provider of Net Business Solutions
> >>http://www.novell.com
> >>
> >>  
> >>
> >>>>>ccox@(protected) >>>
> >>>>>      
> >>>>>
> >>can you turn on debugging for the default servlet(conf/web.xml) and
> >>also
> >>turn on the requestdumpervalve(server.xml) and post the log.
> >>
> >>
> >>------------------------------------------------------------
> ---------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> >>For additional commands, e-mail: tomcat-user-help@(protected)
> >>
> >>
> >>
> >>
> >>------------------------------------------------------------
> ---------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> >>For additional commands, e-mail: tomcat-user-help@(protected)
>
> >>
> >>
> >>------------------------------------------------------------
> ---------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> >>For additional commands, e-mail: tomcat-user-help@(protected)
>
> >>
> >>
> >>  
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> >For additional commands, e-mail: tomcat-user-help@(protected)
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> For additional commands, e-mail: tomcat-user-help@(protected)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> For additional commands, e-mail: tomcat-user-help@(protected)
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)


©2008 junlu.com - Jax Systems, LLC, U.S.A.