Marvin, you are mostly correct. Except if you use REST....
Robert Am 09.02.2011 um 17:21 schrieb Marvin Addison: >> As noted above, every script kiddie can crash your remotely available java >> app by simply sending the magic string in the HTTP-HEADER (e.g. by using >> curl). > > There are a few of requirements that must be met in order to > facilitate remote exploitation using an attack like you mentioned: > > 1. Vulnerable Tomcat version (Most recent 6.0.32 and 7.0.8 contain > fixes, see http://tomcat.apache.org/tomcat-6.0-doc/changelog.html and > http://tomcat.apache.org/tomcat-7.0-doc/changelog.html) > 2. Servlet must call ServletRequest#getLocale() or > ServletRequest#getLocales() to exercise vulnerable codepath in Tomcat > 3. Vulnerable JVM > > I have not audited CAS for susceptibility to this vulnerability, but > it's entirely possible if it's running on a vulnerable Tomcat/JVM > combination. I would imagine that any internationalized application > may be susceptible and should be examined carefully. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
