> As noted above, every script kiddie can crash your remotely available java > app by simply sending the magic string in the HTTP-HEADER (e.g. by using > curl).
There are a few of requirements that must be met in order to facilitate remote exploitation using an attack like you mentioned: 1. Vulnerable Tomcat version (Most recent 6.0.32 and 7.0.8 contain fixes, see http://tomcat.apache.org/tomcat-6.0-doc/changelog.html and http://tomcat.apache.org/tomcat-7.0-doc/changelog.html) 2. Servlet must call ServletRequest#getLocale() or ServletRequest#getLocales() to exercise vulnerable codepath in Tomcat 3. Vulnerable JVM I have not audited CAS for susceptibility to this vulnerability, but it's entirely possible if it's running on a vulnerable Tomcat/JVM combination. I would imagine that any internationalized application may be susceptible and should be examined carefully. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
