I just tried a similar situation on NT 4.0 with 3.0 / SP1 and could not
reproduce it.
Could you package up your app into a war file and send it to me so that I
can try it here?
Thanks,
Steve Penella
Allaire QA
-----Original Message-----
From: Ramakrishnan Venkataraman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 02, 2000 1:43 PM
To: JRun-Talk
Cc: Ramakrishnan Venkataraman
Subject: JRun authentication can be defeated
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C044FC.AECBE7E0
Content-Type: text/plain;
charset="iso-8859-1"
Apparently JRUN authentication (JRUN 3.1, Win NT) can be compromised if you
access html files using a different case.
I am using the JRun form based authentication mechanism for protecting
access to JSP, html and servlet files.
The URL pattern I use in web.xml is this:
<url-pattern>/Debug/*</url-pattern>
<url-pattern>/Admin/*</url-pattern>
If I access a page like this: /Admin/AdminHome.html, I do get the login
form.
If I change the URL to : /admin/AdminHome.html (note 'admin' is using
lower case)
the login form does not appear, and I get free access to the page !
I think this is a serious limitation.
How can I protect access to html pages independent of case ?
It does not make sense to have all possible case combinations (like admin,
aDmin etc. in the web.xml files. There are too many combinations (2 **
length) and this will also slow down JRun.
JSP files do not show this problem (e.g. /admin/AdminHome.jsp) , simply
because JRun throws a nasty error if the case is different from the actual
name on disk. I am not sure I like this behaviour, but at least it does not
compromise security.
Converting all html files to jsp is not an option for us.
What can I do ?
Thanks in advance for any help.
- Venky
Nortel Networks
[EMAIL PROTECTED]
------_=_NextPart_001_01C044FC.AECBE7E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2652.35">
<TITLE>JRun authentication can be defeated</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT SIZE=3D2>Apparently JRUN authentication (JRUN 3.1, Win NT) can =
be compromised if you access html files using a different case.</FONT>
</P>
<P><FONT SIZE=3D2>I am using the JRun form based authentication =
mechanism for protecting access to JSP, html and servlet files.</FONT>
</P>
<P><FONT SIZE=3D2>The URL pattern I use in web.xml is this:</FONT>
</P>
<P><FONT =
SIZE=3D2><url-pattern>/Debug/*</url-pattern></FONT>
<BR><FONT =
SIZE=3D2><url-pattern>/Admin/*</url-pattern></FONT>
</P>
<P><FONT SIZE=3D2>If I access a page like this: /Admin/AdminHome.html, =
I do get the login form. </FONT>
</P>
<P><FONT SIZE=3D2>If I change the URL to : =
/admin/AdminHome.html (note 'admin' is using lower case)</FONT>
</P>
<P><FONT SIZE=3D2>the login form does not appear, and I get free access =
to the page !</FONT>
</P>
<P><FONT SIZE=3D2>I think this is a serious limitation.</FONT>
</P>
<P><FONT SIZE=3D2>How can I protect access to html pages independent of =
case ?</FONT>
</P>
<P><FONT SIZE=3D2>It does not make sense to have all possible case =
combinations (like admin, aDmin etc. in the web.xml files. There are =
too many combinations (2 ** length) and this will also slow down =
JRun.</FONT></P>
<P><FONT SIZE=3D2>JSP files do not show this problem (e.g. =
/admin/AdminHome.jsp) , simply because JRun throws a nasty error if the =
case is different from the actual name on disk. I am not sure I like =
this behaviour, but at least it does not compromise =
security.</FONT></P>
<P><FONT SIZE=3D2>Converting all html files to jsp is not an option for =
us.</FONT>
</P>
<P><FONT SIZE=3D2>What can I do ?</FONT>
</P>
<P><FONT SIZE=3D2>Thanks in advance for any help.</FONT>
</P>
<P><FONT SIZE=3D2>- Venky </FONT>
<BR><FONT SIZE=3D2> Nortel Networks</FONT>
<BR><FONT SIZE=3D2> [EMAIL PROTECTED] </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C044FC.AECBE7E0--
----------------------------------------------------------------------------
--
Archives: http://www.egroups.com/group/jrun-interest/
Unsubscribe:
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/jrun_talk
or send a message to [EMAIL PROTECTED] with 'unsubscribe'
in the body.
------------------------------------------------------------------------------
Archives: http://www.egroups.com/group/jrun-interest/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/jrun_talk
or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the
body.
