Cross site Vulnerability in Apache2.2.11

2015-03-31 Thread D, Dwarakesh
Hello, One of our application is running on Tomcat and the requests are being redirected by Apache to Tomcat. When we did vulnerability scan for that application, we have encountered Cross-site scripting vulnerability. For remediating this, I have added below snippet in httpd.conf file and did

Re: PNG images are served intermittently in Apache Tomcat 8.0.15

2015-03-31 Thread Mark Thomas
On 31/03/2015 10:29, Selvakumar Sellamuthu Ayyavu wrote: Question: Is it a known problem? No. If so, can I get a link from issue tracker? N/A. Can I have a work around? N/A. If you want more info, please let me know... 1. Do you see the issue with Apache Tomcat 8.0.21? 2. If yes,

Re: How to use Jar Scan Filters

2015-03-31 Thread Thusitha Thilina Dayaratne
Hi All, I'm using embedded tomcat as an OSGi bundle. In tomcat 7.0.59 we extended the StandardJarScanner to scan some jars which are resides in a custom location. Since these jars are needed for all the applications putting them in WEB-INF is not applicable, We are now trying to use Tomcat 8.0.20

PNG images are served intermittently in Apache Tomcat 8.0.15

2015-03-31 Thread Selvakumar Sellamuthu Ayyavu
Hi All, Problem: PNG images are served intermittently from Apache Tomcat 8.0.15 in IE8 Platform: Windows Server 2008 Description: I have recently migrated from Tomcat 7 to Tomcat 8. Everything is working fine in Tomcat 8. Except these PNGs. But when I run WAR in Tomcat 7 these problems are not

Re: Post Session Id

2015-03-31 Thread André Warnier
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/30/15 6:07 PM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 3/30/15 12:19 PM, Jeffrey Janner wrote: -Original Message- From:

Re: Cross site Vulnerability in Apache2.2.11

2015-03-31 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dwarak, On 3/31/15 5:27 AM, D, Dwarakesh wrote: One of our application is running on Tomcat and the requests are being redirected by Apache to Tomcat. Do you mean proxied and not redirected? When we did vulnerability scan for that

Re: Post Session Id

2015-03-31 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/30/15 6:07 PM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 3/30/15 12:19 PM, Jeffrey Janner wrote: -Original Message- From: Christopher Schultz

Re: Post Session Id

2015-03-31 Thread Wesley Acheson
Andre that works perfectly fine but not for our use case. On Tue, Mar 31, 2015 at 2:58 PM, André Warnier a...@ice-sa.com wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/30/15 6:07 PM, André Warnier wrote: Christopher Schultz wrote:

Re: Post Session Id

2015-03-31 Thread André Warnier
Wesley Acheson wrote: Andre that works perfectly fine but not for our use case. Ok, thanks for the confirmation. My logical world is back on track now. Not to nitpick, but your previous post was the first one in which you mentioned SSL as part of the equation, wasn't it ? If you still have

Re: Post Session Id

2015-03-31 Thread André Warnier
Wesley Acheson wrote: This is getting off topic. The website that surrounds our website is available under multiple domains. I.e. They white label their product. Hi. If you do not want to pursue this, I cannot and do not want to force you. But on the base of the scarce info available : if

Re: Post Session Id

2015-03-31 Thread Wesley Acheson
This is getting off topic. The website that surrounds our website is available under multiple domains. I.e. They white label their product. On Tue, Mar 31, 2015 at 4:52 PM, André Warnier a...@ice-sa.com wrote: Wesley Acheson wrote: Andre that works perfectly fine but not for our use case.

AJP Connector : question on mod_proxy_ajp

2015-03-31 Thread André Warnier
Hi. I have a question of my own. Tomcat 6.x/7.x/8.x. Until now, we have been using mostly the Apache httpd mod_jk connector to Tomcat. And we have been using the Tomcat AJP Connector's 'tomcatAuthentication=false' setting, to propagate the authenticated user from httpd to Tomcat. Now we

Re: AJP Connector : question on mod_proxy_ajp

2015-03-31 Thread Rainer Jung
Am 31.03.2015 um 22:47 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/31/15 3:41 PM, André Warnier wrote: I have a question of my own. ??! +1 Tomcat 6.x/7.x/8.x. Until now, we have been using mostly the Apache httpd mod_jk connector to Tomcat.

Re: AJP Connector : question on mod_proxy_ajp

2015-03-31 Thread Andy Wang
On 03/31/2015 04:11 PM, Rainer Jung wrote: Am 31.03.2015 um 22:47 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/31/15 3:41 PM, André Warnier wrote: I have a question of my own. ??! +1 Tomcat 6.x/7.x/8.x. Until now, we have been using mostly

Re: Post Session Id

2015-03-31 Thread Wesley Acheson
Guys, Thanks for all your suggestions, they are good suggestions but I'm not going to reply to them individually. The Valve for setting requested session Id works correctly. However I implemented it POST only which is causing problems the application we are using has a number of redirects.

SSL configuration trouble with IIS, Tomcat and jkredirect

2015-03-31 Thread Arthur Cosma
Hello and thank you for the opportunity, this is my first post. Please note that all I did below is either expertise from the vendor (which is very uncooperative in regards to https) or by reading numerous bits of information on the web. Here is the environment: IIS 7(.5) web server running on

Re: AJP Connector : question on mod_proxy_ajp

2015-03-31 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/31/15 3:41 PM, André Warnier wrote: I have a question of my own. ??! Tomcat 6.x/7.x/8.x. Until now, we have been using mostly the Apache httpd mod_jk connector to Tomcat. And we have been using the Tomcat AJP Connector's