Jakarta Tomcat 4.1 XSS vulnerability
Hi, Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was reported last year, is not yet resolved. http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0 I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1 connector. http://localhost:8080/666%0a%0ascriptalert(asdf);/script666.jsp On the other hand, on Tomcat 5.0, it was not reproduced. Do you neglect to resolve it to Tomcat 4.x, Tomcat committers? Regards, -- Kan Ogawa [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-5 build.xml
remm2003/09/28 05:23:27
Modified:.build.xml
Log:
- Package the Manager class, which is supposedly needed by the
deployer.
Revision ChangesPath
1.160 +1 -0 jakarta-tomcat-5/build.xml
Index: build.xml
===
RCS file: /home/cvs/jakarta-tomcat-5/build.xml,v
retrieving revision 1.159
retrieving revision 1.160
diff -u -r1.159 -r1.160
--- build.xml 8 Sep 2003 10:11:10 - 1.159
+++ build.xml 28 Sep 2003 12:23:27 - 1.160
@@ -736,6 +736,7 @@
index=true
fileset dir=${tomcat.build}/classes
include name=org/apache/catalina/LifecycleListener.class /
+ include name=org/apache/catalina/Manager.class /
include name=org/apache/catalina/Pipeline.class /
include name=org/apache/catalina/startup/Constants.class /
include name=org/apache/catalina/startup/ContextConfig.class /
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 23463] - Deployer ValidationTask not work! Missing Classes...
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23463. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23463 Deployer ValidationTask not work! Missing Classes... [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2003-09-28 12:26 --- For some unexplainable reason, the JDK tries to load this class, which is wrong (it is not used in any way; commenting out the contents of the ContextConfig.managerConfig method - which is neither called nor static - fixes it, which proves my point). As for the second part of the bug, well, sorry, validation doesn't actually work with Xerces in the release (at least it doesn't for me; try Xerces 2.1 if you want to validate with a DTD, but schema validation won't work). This is supposedly fixed now. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Bug report for Tomcat 3 [2003/09/28]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=CriticalMAJ=Major | | | | MIN=Minor NOR=Normal ENH=Enhancement | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 258|Unc|Nor|2000-11-27|response.SendRedirect() resets/destroys Cookies th| | 2350|Ver|Nor|2001-06-27|ServletConfig.getInitParameter() requires url-patt| | 2478|Opn|Cri|2001-07-06|Passing Session variables between JSP's and Servle| | 4551|Opn|Nor|2001-10-31|Ctx( /tt01 ): IOException in: R( /tt01 + /com/abc/| | 4893|Unc|Blk|2001-11-15|Tomcat dies with following error..| | 4980|New|Min|2001-11-20|Startup message indicates incorrect log file | | 4994|New|Nor|2001-11-21|Tomcat needs a mechanism for clean and certain shu| | 5064|New|Cri|2001-11-25|Socket write error when include files is more than| | 5108|New|Maj|2001-11-26|Docs for Tomcat 3.2.x appear to be for Tomcat 3.3 | | 5137|New|Nor|2001-11-27|Null pointer in class loader after attempting to r| | 5160|Unc|Maj|2001-11-28|'IllegalStateException' | | 5331|New|Nor|2001-12-09|getPathInfo vs URL normalization | | 5510|New|Blk|2001-12-19|How to call ejb deployed in JBoss from Tomcat serv| | 5756|New|Nor|2002-01-08|jspc.bat exits with wrong ERRORLEVEL | | 5797|New|Nor|2002-01-10|UnCatched ? StringIndexOutOfBoundsException: Strin| | 6027|New|Maj|2002-01-25|Tomcat Automatically shuts down as service | | 6168|New|Blk|2002-02-01|IllegalStateException | | 6451|New|Cri|2002-02-14|Stackoverflow | | 6478|New|Enh|2002-02-14|Default Tomcat Encoding | | 6488|Ver|Maj|2002-02-15|Error: 304. Apparent bug in default ErrorHandler c| | 6648|New|Nor|2002-02-25|jakarta-servletapi build with java 1.4 javadoc err| | 6702|New|Cri|2002-02-27|win 2k services not working | | 6796|New|Cri|2002-03-01|Tomcat dies periodically | | 6989|New|Maj|2002-03-08|Unable to read tld file during parallel JSP compil| | 7008|Opn|Maj|2002-03-10|facade.HttpServletRequestFacade.getParameter(HttpS| | 7013|New|Cri|2002-03-10|Entering a servlet path with non-ISO8859-1 charact| | 7227|New|Nor|2002-03-19|error-code directive don't work | | 7236|New|Blk|2002-03-19|Permission denied to do thread.stop | | 7626|New|Nor|2002-03-29|classloader not working properly | | 7652|New|Cri|2002-04-01|Tomcat stalls periodically| | 7762|New|Enh|2002-04-05|stdout logfile handling | | 7785|New|Blk|2002-04-06|tomcat bug in context reloading | | 7789|New|Maj|2002-04-06|JSP Cookie Read/Write Fails With DNS Names| | 7863|New|Maj|2002-04-09|I have a problem when running Tomcat with IIS | | 8154|New|Nor|2002-04-16|logrotate script in RPM rotates non-existing file | | 8155|New|Nor|2002-04-16|Tomcat from RPM doesn't do logrotate | | 8187|New|Cri|2002-04-17|Errors when Tomcat used with MS Access database | | 8239|New|Cri|2002-04-18|Resource temporary unavailable| | 8263|New|Cri|2002-04-18|url-pattern easy to circumvent| | 8634|New|Nor|2002-04-30|no way to specify different modules.xml file | | 8992|New|Blk|2002-05-10|IE6/XP: Limitation of POST Area within HTTP reques| | 9086|New|Enh|2002-05-14|NPE org.apache.tomcat.core.ServerSession.setAttrib| | 9250|New|Maj|2002-05-20|outOfMemoryError | | 9362|New|Nor|2002-05-23|compiilation of JSP that includes a non-existant f| | 9367|New|Maj|2002-05-23|HttpSessionBindingEvent not thrown for HttpSession| | 9390|New|Nor|2002-05-24|jasper compilation error in tomcat| | 9480|New|Nor|2002-05-29|Data connection pooling | | 9607|New|Maj|2002-06-04|precompile JSP| | 9737|New|Nor|2002-06-10|ArrayIndexOutOfBoundsException when sending just p| |1|New|Cri|2002-06-19|IOException Broken Pipe when authenticating JDBCRe| |10039|New|Nor|2002-06-20|TimeStamp will not work correctly.|
Bug report for Tomcat 4 [2003/09/28]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=CriticalMAJ=Major | | | | MIN=Minor NOR=Normal ENH=Enhancement | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 218|Unc|Nor|2000-11-02|IIS in-process tomcat BugRat Report#333 | | 3098|Opn|Maj|2001-08-11|RequestDispatcher on relative (to request path) | | 3614|Opn|Nor|2001-09-14|bug in manager webapp | | 3755|Opn|Nor|2001-09-20|freezes at shutdown | | 3888|Opn|Blk|2001-09-30|WebappClassLoader: Lifecycle error : CL stopped | | 4091|Opn|Nor|2001-10-11|custom host with unpackWARs=true don't expand wa| | 4138|Opn|Nor|2001-10-12|Processor threads have inconsistent ClassLoader st| | 4350|Ass|Nor|2001-10-22|SSLAuthenticator did not associate SSO session| | 4352|Ass|Nor|2001-10-22|JDBCRealm does not work with CLIENT-CERT auth-meth| | 4500|New|Nor|2001-10-29|isapi_redirect.dll does not pass Client certificat| | 5068|New|Nor|2001-11-25|can't compile | | 5185|New|Enh|2001-11-29|Installation Instructions for Configuring Tomcat 4| | 5329|New|Nor|2001-12-08|NT Service exits startup before Tomcat is finished| | 5427|New|Nor|2001-12-14|File Uploads with MultipartRequest| | 5483|New|Cri|2001-12-18|I18N fails using AJP 1.3 with Tomcat 4.01 final / | | 5547|New|Nor|2001-12-20|isapi_redirect.dll not work with ajp1.3? | | 5598|Opn|Maj|2001-12-27|(JSP Problem) RequestDispatcher doesn't include HT| | 5647|New|Blk|2002-01-01|AJP13 connector will not pass authentication reque| | 5704|Ass|Maj|2002-01-05|CgiServlet corrupting images? | | 5715|Opn|Nor|2002-01-07|response.setContentType() in Filter.doFilter not c| | 5759|Opn|Maj|2002-01-09|CGI servlet mapping by extension *.cgi does not wo| | 5762|Opn|Maj|2002-01-09|CGI servlet misses to include port number in HTTP_| | 5795|New|Enh|2002-01-10|Catalina Shutdown relies on localhost causing prob| | 5829|New|Enh|2002-01-13|StandardManager needs to cope with sessions throwi| | 5858|New|Enh|2002-01-15|Add tomcat dir to java.library.path | | 5861|New|Maj|2002-01-15|java.lang.NumberFormatException when using non-sta| | 5951|New|Nor|2002-01-21|authentication does not work with ajp13 | | 5952|Opn|Nor|2002-01-22|Refence to $JAVACMD in tomcat.conf incorrect in R| | 5975|New|Nor|2002-01-23|isSecure and getScheme: http are not set when usin| | 5985|New|Enh|2002-01-23|Tomcat should perform a more restrictive validatio| | 6068|New|Maj|2002-01-28|AJP13 bad read, IOException | | 6218|Opn|Nor|2002-02-04|Relative links broken for servlets| | 6229|New|Enh|2002-02-04|Need way to specify where to write catalina.out | | 6399|New|Nor|2002-02-12|unknown protocol: https | | 6408|New|Enh|2002-02-12|Starting tomcat from a cygwin bash shell using 'st| | 6420|New|Cri|2002-02-13|Loadbalancer mod_jk from 4.02 not working with TC | | 6457|New|Cri|2002-02-14|mod_jk causes segmentation fault with JkLogLevel !| | 6582|New|Min|2002-02-20|Sample code does not match behavior | | 6600|Opn|Enh|2002-02-20|enodeURL adds 'jsession' when 'isRequestedSessionI| | 6614|New|Enh|2002-02-21|Have Bootstrap and StandardClassLoader use the sam| | 6630|New|Nor|2002-02-21|Cookies in the HttpServletRequest are not URL deco| | 6649|New|Nor|2002-02-25|jakarta-servletapi-4 build using java 1.4 javadoc | | 6659|New|Nor|2002-02-25|HttpUtils.getRequestURL gives incorrect URL with w| | 6671|New|Enh|2002-02-25|Simple custom tag example uses old declaration sty| | 6987|New|Maj|2002-03-08|AJP13Connector does not accept session id from URL| | 6990|New|Cri|2002-03-08|Catalina 4.0.2 hangs after a few days | | 7043|New|Enh|2002-03-12|database user and password for JDBC Based Store | | 7080|New|Maj|2002-03-13|Interbase JDBCRealm - Bug # 5564 - Have a safe fix| | 7177|New|Cri|2002-03-17|Apache/mod_jk/Tomcat Connectivity Problem | | 7190|New|Nor|2002-03-18|GenericServlet spurious log's in init(), destroy()| | 7207|New|Nor|2002-03-18|Redeployment Problem under Tomcat 4.0.2 | |
Bug report for Watchdog [2003/09/28]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=CriticalMAJ=Major | | | | MIN=Minor NOR=Normal ENH=Enhancement | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 278|Unc|Nor|2000-12-04|Bug in GetParameterValuesTestServlet.java file Bug| | 279|Unc|Nor|2000-12-04|Logical Error in GetParameterValuesTestServlet Bug| | 469|Unc|Nor|2001-01-17|in example-taglib.tld urn should be uri BugRat| | 470|Unc|Nor|2001-01-17|FAIL positiveForward.jsp and positiveInclude.jsp B| | 9634|New|Enh|2002-06-05|No tests exist for ServletContext.getResourcePaths| |10703|New|Enh|2002-07-11|Need to test getRequestURI after RequestDispatcher| |11336|New|Enh|2002-07-31|Test wrapped path methods with RD.foward()| |11663|New|Maj|2002-08-13|JSP precompile tests rely on Jasper specific behav| |11664|New|Maj|2002-08-13|A sweep is needed of all Watchdog 4.0 tag librarie| |11665|New|Maj|2002-08-13|ServletToJSPErrorPageTest and ServletToServletErro| |11666|New|Maj|2002-08-13|SetBufferSize_1TestServlet is invalid.| |14004|New|Maj|2002-10-28|Incorrent behaviour of all attribute-related lifec| |15504|New|Nor|2002-12-18|JSP positiveGetValues test relies on order preserv| +-+---+---+--+--+ | Total 13 bugs | +---+ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 12428] - request.getUserPrincipal(): Misinterpretation of specification?
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12428. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12428 request.getUserPrincipal(): Misinterpretation of specification? [EMAIL PROTECTED] changed: What|Removed |Added Severity|Normal |Major --- Additional Comments From [EMAIL PROTECTED] 2003-09-28 19:11 --- This is a major problem for us porting our application. We have a menu system which stays the same for all the users. Based on the role and if we have a principal or not, the menu changes with more or less options. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 12428] - request.getUserPrincipal(): Misinterpretation of specification?
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12428.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12428
request.getUserPrincipal(): Misinterpretation of specification?
--- Additional Comments From [EMAIL PROTECTED] 2003-09-29 02:30 ---
I don't see anything in the 2.3 spec that precludes the way that Tomcat handles
this. The 2.4 spec is a bit more ambiguous, so I'm going to have to try to get
a clarification from the expert-group before marking this as INVALID.
As a work-around, try using a simple Filter something like:
public void doFilter(ServletRequest req, ServletResponse res, FilterChain
chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)req;
Principal userPrin = request.getUserPrincipal();
if(userPrin == null) {
HttpSession session = request.getSession(true);
Principal myPrin = (Principal)session.getAttribute
(com.myfirm.MyPrincipal);
if(myPrin != null) {
req = new MyAuthRequest(myPrin);
}
} else {
HttpSession session = request.getSession(true);
session.setAttribute(com.myfirm.MyPrincipal, userPrin);
}
chain.doFilter(req, res);
}
static class MyAuthRequest extends HttpServletRequestWrapper {
Principal myPrin;
MyAuthRequest(Principal prin) {
myPrin = prin;
}
public Principal getUserPrincipal() {
return myPrin;
}
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 12428] - request.getUserPrincipal(): Misinterpretation of specification?
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12428. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12428 request.getUserPrincipal(): Misinterpretation of specification? --- Additional Comments From [EMAIL PROTECTED] 2003-09-29 03:16 --- This works, but only in the context of the WEB container. If my WEB application calls down to my entity beans, I am out of luck. I don't know of a way to pass this context down to the entity beans without having to implicitly pass a user parameter to ALL the functions which would normally get a principal from the context. By the way, this is happening with JBOSS 3.2.2RC3 which has TomCat version 4.1 bundled with it (I am not sure which one). In my application, additional features become available when user becomes a member. Thus all of my code is based on: a) Do I have a principal, no? then GUEST access otherwise b) b) If role X is enabled, allow functions X1...Xn Not having principal in the public pages, does not allow me to check the role. I noticed that I am not the only one who is having an issue with the way this works. Is there a way to make a parameter, that when set, would pass the principal to the public pages. If the parameter is not set, then don't pass the principal as it's now? Since the spec is so ambiguous, it makes migration to TomCat/JBOSS combo from Weblogic, Orion or other app servers difficult. Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Container level authentication
I'm a bit confused by the scope for authentication. For purposes of discussion, assume that there is a sub-section of my web-app that is protected via: security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/protected/*/url-pattern /web-resource-collection auth-constraint role-namesomerole/role-name /auth-constraint /security-constraint If a user successfully authenticates to access a resource in the 'Protected Area', and then subsequently requests a non-protected page, is the Container required to report (via request.getUserPrincipal/request.getRemoteUser) the authentication information that was used to access the 'Protected Area' for the request to the non-protected page? The remark in section 12.6 that the servlet container is required to track authentication information at the container level (except that this is qualified in the same sentence), and the remark in section 12.10 that a 'null' value for request.getUserPrincipal indicates that a user is logged out, would seem to say that the user needs to be tracked for the entire web-app. However, I'm the first to admit to possibly reading more into this than was intended. I'm asking this, since at the moment Tomcat (and, therefore, presumably the J2EE RI) does not track user authentication for requests to non-authenticated pages. I'm hoping that this issue can be clarified in the final draft of the 2.4 spec. This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
