https://issues.apache.org/bugzilla/show_bug.cgi?id=49352
Summary: Apache sends multiple AJP forward requests without
waiting for the response
Product: Apache httpd-2
Version: 2.2.9
Platform: PC
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_proxy_ajp
AssignedTo: [email protected]
ReportedBy: [email protected]
We use apache with mod_proxy_ajp to connect it through AJPv13 to a servlet
container. We discovered an issue with this under certain load situations or
apache configurations.
The most urgent think is Apache sends multiple AJP forward requests without
waiting for the response. An essential thing of AJPv13 connections are its
control of data flow. Quote from the mod_proxy_ajp documentation:
"Once a connection is assigned to a particular request, it will not be used for
any others until the request-handling cycle has terminated. In other words,
requests are not multiplexed over connections. This makes for much simpler code
at either end of the connection, although it does cause more connections to be
open at once."
I will attach a TCP capture showing the multiple send requests. This capture
only contains 3 request cycles of a single TCP connection. The first request
cycle is fine. After this first fine request cycle Apache sends 2 forward
requests followed by their request body. After the first of that 2 requests
Apache has to wait for the response of the servlet container which is not done.
The packet size of the 2 requests seem to be so small that their data is kept
in some TCP stack or network buffers causing the second request not to be
blocked on its write.
All requests show pretty clearly that they are login requests. The response
will set the secret cookies in the client and contain the session information
in the body and therefore authorize the client for a session. Additionally to
the multiply send forward request the responses to those requests are not sent
to the correct client. We discovered those responses to be sent to any client.
This causes that any client may now be authorized to some session definitely
not belonging to the user in front of that client. So this issue causes a
security problem. I did not report this as a security problem because it
depends on the AJP server if those duplicated requests are all responded.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
