DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=27627>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=27627 Buffer overflow in jk2 connector while parsing "Host" header Summary: Buffer overflow in jk2 connector while parsing "Host" header Product: Tomcat 4 Version: 4.1.30 Platform: All OS/Version: All Status: NEW Severity: Critical Priority: Other Component: Connector:Coyote JK 2 AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] There is a buffer overflow bug in the following code in jk2 connector (jk/native2/common/jk_uriMap.c, jk2_uriMap_getHostCache function): char key[1024]; if (!vhost && !port) return uriMap->vhosts->get(env, uriMap->vhosts, "*"); if (!vhost) vhost = "*"; sprintf(key, "%s:%d", vhost, port); The value of the 'vhost' variable comes from the "Host" header and the maximum length of this variable depends on the web server (for Apache2 it is more than 1024). Client that connects to the web server and enters "Host" header longer than 1024 characters will cause web server crash (and this may even enable clients to execute arbitrary code on the server!). The simlar bug is in the jk2_uriMap_hostMap function. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
