Re: CVE-2018-11759 vulnerability checking
Thanks Mark.. Got clarified On Thu, Nov 22, 2018 at 10:50 PM Mark Thomas wrote: > On November 22, 2018 4:19:40 PM UTC, GNK G wrote: > >Hello Team, > > > >According to the below link, we can check the vulnerability using > >"status" > >worker > > > > > https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/ > > > >I am able to simulate the issue using the above method. > > > >But it is specific only to "status" worker. > > > >Does that mean, the issue is only specific to "status" worker, if we > >don't > >use it, is it not vulnerable. > > No. The vulnerability is not specific to the status worker. > > >I am trying the same method in other URL (by appending ;) in our > >server, it > >is always going for authentication. So can I assume, it does not affect > >other part in our server. > > No. Whether or not you are vulnerable will depend on multiple factors. > > If you are applying access controls in httpd to a subset of the URLs > served by Tomcat or if Tomcat serves only a subset of the URLs accessible > through httpd then you are probably vulnerable. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: javax.websocket.Session.getRequestParameterMap() encoding
On 22/11/2018 21:29, Johan Compagner wrote: > Op do 22 nov. 2018 22:05 schreef Mark Thomas >> On 22/11/2018 16:06, Johan Compagner wrote >>> >>> problem is how do we do that in a websocket scenario? >> >> Several options: >> - configure the connector >> - use a filter before the request reached the WebSocket filter >> > > > We can't do a Tomcat only version. We don't control deployment, we only can > generate the war file and configure in the web.xml in the war or in code. > > But can you add a filler to the same websocket url (let's say /websocket) > And then quickly set the encoding on that request before it upgrades it to > a websocket? That will work on Tomcat because: a) Tomcat uses a Filter to redirect requests to WebSocket; and b) Tomcat puts this filter at the end of the chain to ensure that any filters that - for example - enforce security run first. For other containers it will depend on how they do the mapping. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: javax.websocket.Session.getRequestParameterMap() encoding
Op do 22 nov. 2018 22:05 schreef Mark Thomas On 22/11/2018 16:06, Johan Compagner wrote > > > > problem is how do we do that in a websocket scenario? > > Several options: > - configure the connector > - use a filter before the request reached the WebSocket filter > We can't do a Tomcat only version. We don't control deployment, we only can generate the war file and configure in the web.xml in the war or in code. But can you add a filler to the same websocket url (let's say /websocket) And then quickly set the encoding on that request before it upgrades it to a websocket? > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: javax.websocket.Session.getRequestParameterMap() encoding
On 22/11/2018 16:06, Johan Compagner wrote:
Hi,
If we send have a value that is utf8 url encoded to the websocket:
H%C3%BCnenberg
then somehow tomcat just encodes that using i think "ISO-8859-1"
Tomcat version?
See URIEncoding for the Connector.
if we are in a filter or servlet we just do:
request.setCharacterEncoding("UTF8");
and then ask for the parameter map then everything is fine it will be
decoded correctly to Hünenberg
problem is how do we do that in a websocket scenario?
Several options:
- configure the connector
- use a filter before the request reached the WebSocket filter
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Translations update
On 22/11/2018 18:26, Mark Thomas wrote: > On November 22, 2018 5:13:36 PM UTC, "Rémy Maucherat" wrote: >> On Wed, Nov 21, 2018 at 10:58 AM Mark Thomas wrote: >> >>> - Simplified Chinese has been added and has already reached 32% >> coverage >>> >> >> There's actually a problem with the Chinese translation, it's been >> deleted >> for some reason. >> >> Rémy > > Again? Groan. I should be able to undo that. Give me a few minutes... Done. 890 recovered. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Translations update
On November 22, 2018 5:13:36 PM UTC, "Rémy Maucherat" wrote: >On Wed, Nov 21, 2018 at 10:58 AM Mark Thomas wrote: > >> - Simplified Chinese has been added and has already reached 32% >coverage >> > >There's actually a problem with the Chinese translation, it's been >deleted >for some reason. > >Rémy Again? Groan. I should be able to undo that. Give me a few minutes... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CVE-2018-11759 vulnerability checking
On November 22, 2018 4:19:40 PM UTC, GNK G wrote: >Hello Team, > >According to the below link, we can check the vulnerability using >"status" >worker > >https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/ > >I am able to simulate the issue using the above method. > >But it is specific only to "status" worker. > >Does that mean, the issue is only specific to "status" worker, if we >don't >use it, is it not vulnerable. No. The vulnerability is not specific to the status worker. >I am trying the same method in other URL (by appending ;) in our >server, it >is always going for authentication. So can I assume, it does not affect >other part in our server. No. Whether or not you are vulnerable will depend on multiple factors. If you are applying access controls in httpd to a subset of the URLs served by Tomcat or if Tomcat serves only a subset of the URLs accessible through httpd then you are probably vulnerable. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Translations update
On Wed, Nov 21, 2018 at 10:58 AM Mark Thomas wrote: > - Simplified Chinese has been added and has already reached 32% coverage > There's actually a problem with the Chinese translation, it's been deleted for some reason. Rémy
CVE-2018-11759 vulnerability checking
Hello Team, According to the below link, we can check the vulnerability using "status" worker https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/ I am able to simulate the issue using the above method. But it is specific only to "status" worker. Does that mean, the issue is only specific to "status" worker, if we don't use it, is it not vulnerable. I am trying the same method in other URL (by appending ;) in our server, it is always going for authentication. So can I assume, it does not affect other part in our server. Could some one please provide input on this? Thanks,, Navanee
javax.websocket.Session.getRequestParameterMap() encoding
Hi,
If we send have a value that is utf8 url encoded to the websocket:
H%C3%BCnenberg
then somehow tomcat just encodes that using i think "ISO-8859-1"
if we are in a filter or servlet we just do:
request.setCharacterEncoding("UTF8");
and then ask for the parameter map then everything is fine it will be
decoded correctly to Hünenberg
problem is how do we do that in a websocket scenario?
the session object of a WebSocket doesn't have anything for that as far as
i can see
the same goes for ServerEndpointConfig.Configurator using
the modifyHandshake method..
--
Johan Compagner
Servoy
Re: http status 404 - not found
On Mon, 11/19/18, Salil Misra wrote:
Subject: Re: http status 404 - not found
To: users@tomcat.apache.org, karenwo...@yahoo.com
Date: Monday, November 19, 2018, 9:14 PM
Just a quick check , have you
saved your view page as a JSP and not as HTML
? If its saved as HTML , this might be the
possible cause.
Thanks.
On
Sun, 18 Nov 2018 at 09:31, Karen Goh
wrote:
>
Hello Tomcat user group,
>
> I hope that this question is valid cos I
googled and many related issue
> like
this pointed to server problem.
>
> Tomcat version : 8.5.24
> IDE : Eclipse Oxygen
>
OS : Windows 10
>
>
Basically, I have created a maven structured web app and
after right-click
> my tutorRegister
page, and the form submitted, http status 404 appeared.
>
> This is what appeared
in my browser :
>
>
/webApp-hi5/$%7BpageContext.request.contextPath%7D/addTutor
>
> I have checked my
past project and there was no problem in getting the
> form submitted but when I made the project
into maven type, I am getting
> the above
error.
>
>
action="${pageContext.request.contextPath}/addTutor"
>
> Here's my pom.xml
;
>
>
4.0.0
>
>
com.hi5Supreme.web
>
webApp-hi5
>
0.0.1-SNAPSHOT
>
war
>
>
webApp-hi5 Maven Webapp
>
>
>
UTF-8
>
1.8
>
1.8
>
>
>
>
>
webApp-hi5
>
>
>
src/main/webapp
>
>
>
>
>
>
>
maven-clean-plugin
>
3.0.0
>
>
>
>
>
maven-resources-plugin
>
3.0.2
>
>
>
>
maven-compiler-plugin
>
3.7.0
>
>
>
>
maven-surefire-plugin
>
2.20.1
>
>
>
>
maven-war-plugin
>
3.2.0
>
>
webApp-hi5
>
>
>
>
>
maven-install-plugin
>
2.5.2
>
>
>
>
maven-deploy-plugin
>
2.8.2
>
>
>
>
>
>
>
javax.servlet.jsp
>
javax.servlet.jsp-api
>
2.3.1
>
provided
>
>
>
javax.servlet
>
jsp-api
>
2.0
>
>
>
jstl
>
jstl
>
provided
>
1.2
>
>
>
>
org.lazyluke
>
log4jdbc-remix
>
0.2.7
>
>
>
mysql
>
mysql-connector-java
>
8.0.12
>
provided
>
>
>
javax.servlet
>
javax.servlet-api
>
3.1.0
>
provided
>
>
>
junit
>
junit
>
4.11
>
test
>
>
>
>
>
Hope someone can let me know how if I have missed out
anything.
>
>
Tks.
>
>
>
>
>
-
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Translations update
This is really awesome! I am willing to help out with Chinese Translation. On Wed, Nov 21, 2018 at 5:58 PM Mark Thomas wrote: > > Hi all, > > I wanted to let you know about the amazing progress that is being made > on the Tomcat translations at > https://poeditor.com/join/project/NUTIjDWzrl > > In the short time since this effort has started the community has > achieved the following: > > - French has increased from 18% to 64% coverage > - Simplified Chinese has been added and has already reached 32% coverage > - Korean has been added and has reached 10% coverage > - German has increased from 2% to 7% coverage > - Brazilian Portuguese has been added and has reached 4% coverage > - Spanish has increased from 42% to 44% coverage > > as well as a smaller number of additions and corrections to another 6 > languages. > > A big thank you to everyone who has contributed. > > There is still lots to do so if you would like to help out please join > us at: > https://poeditor.com/join/project/NUTIjDWzrl > > Thanks, > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Best Regards! Huxing - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: help installing mod_jk on Centos 7 on a Google Cloud server
-Nov 21 18:32:37 server2 httpd[24339]: AH00526: Syntax error on line 63 of
-/etc/httpd/conf/httpd.conf:
-Nov 21 18:32:37 server2 httpd[24339]: Invalid command 'JkWorkersFile',
-perhaps misspelled or defined by a module not included in the server
-configuration
Line 63? possibly have not loaded mod_jk.so ?
To test config use :
apachectl configtest
List config:
apachectl -S
Don't change httpd.conf if possible.
>From my notes (this always works for me) :
Build mod_jk.so build
yum install httpd-devel
download tomcat-connectors-x.x.xx-src.tar.gz
extract and cd into the native folder
cd /opt/apache-tomcat/tomcat-connectors-x.x.xx-src/native
./configure --with-apxs=/usr/bin/apxs
make
copy file ./apache-2.0/mod_jk.so to /etc/httpd/modules
make clean
--
if you create a file /etc/httpd/conf.modules.d/10-my.conf (rather than
changing /etc/httpd/conf/httpd.conf)
/etc/httpd/conf.modules.d/10-my.conf:
LoadModule jk_module modules/mod_jk.so
--
if you create a file /etc/httpd/conf.d/my.conf (rather than changing
/etc/httpd/conf/httpd.conf)
/etc/httpd/conf.d/my.conf:
JkWorkersFile "/etc/httpd/conf.d/workers.properties"
JkLogFile "/etc/httpd/logs/mod_jk.log"
JkShmFile "/etc/httpd/logs/jk-runtime-status.log"
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
ServerAdmin m...@www.me.com
DocumentRoot /var/www/html
ServerName www.me.com
ServerAlias me.com
Require all denied
Require all denied
...
JkMount / worker1
JkMount /* worker1
...
On Wed, 21 Nov 2018 at 18:41, Lou Wallace wrote:
> Hey Greg,
>
> Thanks for the info. I changed both httpd.conf and workers.properties to
> your settings. Got the same error msg when I restarted httpd.
>
> When I checked journalist I get
>
> ● httpd.service - The Apache HTTP Server
>Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor
> preset: disabled)
>Active: failed (Result: exit-code) since Wed 2018-11-21 18:32:37 UTC;
> 3min 51s ago
> Docs: man:httpd(8)
>man:apachectl(8)
> Process: 24340 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited,
> status=1/FAILURE)
> Process: 24339 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
> (code=exited, status=1/FAILURE)
> Main PID: 24339 (code=exited, status=1/FAILURE)
> Nov 21 18:32:37 server2 systemd[1]: Starting The Apache HTTP Server...
> Nov 21 18:32:37 server2 httpd[24339]: AH00526: Syntax error on line 63 of
> /etc/httpd/conf/httpd.conf:
> Nov 21 18:32:37 server2 httpd[24339]: Invalid command 'JkWorkersFile',
> perhaps misspelled or defined by a module not included in the server
> configuration
> Nov 21 18:32:37 server2 systemd[1]: httpd.service: main process exited,
> code=exited, status=1/FAILURE
> Nov 21 18:32:37 server2 kill[24340]: kill: cannot find process ""
> Nov 21 18:32:37 server2 systemd[1]: httpd.service: control process exited,
> code=exited status=1
> Nov 21 18:32:37 server2 systemd[1]: Failed to start The Apache HTTP Server.
> Nov 21 18:32:37 server2 systemd[1]: Unit httpd.service entered failed
> state.
> Nov 21 18:32:37 server2 systemd[1]: httpd.service failed.
>
>
>
> On Wed, Nov 21, 2018 at 11:31 AM Greg Huber wrote:
>
> > For my centos/mod._jk I use :
> >
> > /etc/httpd/conf.d/my.conf :
> >
> > ...
> > JkWorkersFile "/etc/httpd/conf.d/workers.properties"
> > JkLogFile "/etc/httpd/logs/mod_jk.log"
> > JkShmFile "/etc/httpd/logs/jk-runtime-status.log"
> > JkLogLevel info
> > JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
> >
> > JkMount / worker1
> > JkMount /* worker1
> >
> >
> > workers.properties :
> > # Define 1 real worker using ajp13
> > worker.list=worker1
> > # Set properties for worker1 (ajp13)
> > worker.worker1.type=ajp13
> > worker.worker1.host=localhost
> > worker.worker1.port=8009
> > worker.worker1.socket_keepalive=1
> >
> >
> > On Wed, 21 Nov 2018 at 16:19, Lou Wallace
> wrote:
> >
> > > Hi Everyone,
> > >
> > > So still having issues with mod_jk. I have downloaded
> > >
> > > wget
> > >
> > >
> >
> http://www.eu.apache.org/dist/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.46-src.tar.gz
> > > wget
> > >
> > >
> >
> http://www.eu.apache.org/dist/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.46-src.tar.gz.sha1
> > >
> > > and make install, and everything seems fine
> > >
> > > I then edited the httpd.conf file and added
> > >
> > > LoadModule jk_module modules/mod_jk.so
> > >
> > > JkWorkersFile "/etc/httpd/conf/workers.properties"
> > > JkLogFile "/var/log/mod_jk.log"
> > > JkLogLevel info
> > > JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
> > > JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
> > > JkRequestLogFormat "%w %V %T"
> > >
> > > then I edited workers.properties and added
> > >
> > > worker.list=app1,app2
> > >
> > > worker.app1.type=ajp13
> > > worker.app1.host=app1.example.com
> > > worker.app1.port=8201
> > > worker.app1.socket_timeout=10
> > >
> > > worker.app2.type=ajp13
> > > worker.app2.host=app2.example.com
> > >
