subject:"RE\: security hole on windows Apache \- Tomcat\?"

RE: security hole on windows Apache -> Tomcat?

2003-08-14 Thread Angus Mezick

I ONLY see the problem in apache.  So I think it is a config problem.
Will the jk2 URI :
[uri:www.SITENAME.org/*.jsp]  catch www.SITENAME.org/index.jsp%20 ?
When I turn on the accessvalve tomcat doesn't see this request.

> -Original Message-
> From: Jeff Tulley [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, August 13, 2003 11:24 AM
> To: [EMAIL PROTECTED]
> Subject: RE: security hole on windows Apache -> Tomcat?
> 
> 
> Yes, but all Apache does is redirect the request to Tomcat 
> for handling.
>  Tomcat itself decides whether to compile the JSP or serve 
> the file as a
> "static file" (and hence, show the source).  I saw this problem both
> directly to Tomcat (8080), and through Apache integration, until I did
> the workaround.
> 
> There IS somebody on the Tomcat development list who still has the
> problem -- he is running Tomcat as a Windows Service, with Apache
> integration, and the workaround doesn't seem to work.  I cannot
> duplicate since I don't run it as a service or use mod_jk2 like he is.
> 
> Are you sure you still see this with the workaround?  It went away for
> me even with my apache-served urls.  Also, is backrevving the JVM to
> 1.4.1 an option for you?  I'd try that and see if that fixes the
> problem.
> 
> The behaviour of your site WAS exactly the same as mine once 
> I was able
> to get the problem to happen on my box, so it seems like we are all
> seeing the same thing.
> 
> Jeff Tulley  ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com
> 
> >>> [EMAIL PROTECTED] 8/13/03 6:53:39 AM >>>
> Ok.  I have this problem but it isn't tomcat that is doing the serving
> of the JSP source.  It is apache.  This is my workers2.properties uri
> section:
> 
> 
> [uri:www.SITENAME.org/*.jsp]
> group=lbWWW
> [uri:www.SITENAME.org/*.adp]
> group=lbWWW
> [uri:www.SITENAME.org/*.inc]
> group=lbWWW
> [uri:www.SITENAME.org/servlet/*]
> group=lbWWW
> [uri:www.SITENAME.org/*.gs]
> group=lbWWW
> 
> 
> I am guessing the problem is because
> http://www.SITENAME.org/index.jsp%20 is not a match for
> http://www.SITENAME.org/*.jsp  (that trailing space messes stuff up.
> Should I just create a RedirectMatch for this case that removes all
> trailing whitespace?  Would mod_rewrite be better for this?  I am
> using
> this list for this question because I KNOW the apache list doesn't
> want
> tomcat integration questions.
> --Angus
> 
> 
> > -Original Message-
> > From: Jeff Tulley [mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, August 12, 2003 9:14 PM
> > To: [EMAIL PROTECTED] 
> > Subject: Re: security hole on windows tomcat?
> > 
> > 
> > I've verified that this workaround stops the problem on Win XP's
> 1.4.2
> > and on NetWare's 1.4.2
> > 
> > Jeff Tulley  ([EMAIL PROTECTED])
> > (801)861-5322
> > Novell, Inc., The Leading Provider of Net Business Solutions
> > http://www.novell.com 
> > 
> > >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>>
> > Sorry I've just realize this thread may be related to bugtraq 
> > #4895132 
> > 
> > (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The
> > workaround 
> > is to add the following property when starting Tomcat:
> > 
> > -Dsun.io.useCanonCaches=false
> > 
> > Can someone try it and let me know if it change something. 
> If this is
> 
> > not working, then point me to a very simple test case and I 
> > will file a
> > 
> > new bugtraq bug.
> > 
> > -- Jeanfrancois
> > 
> > 
> > Eric J. Pinnell wrote:
> > 
> > >I think at this point this might be a worthwile canidate for Sun's
> > >bugparade.  At least get it on their radars (if they don't know
> about
> > it
> > >already).  It's interesting that the bug doesn't show up in Tomcat
> > 4.1.27.
> > >When 1.4.2 was released 4.1.24 was the latest stable build.
> > >
> > >Regardless the JDK/appserver/whatever should never puke it's guts
> and
> > spit
> > >out the source code when it gets a request it doesn't know how to
> > deal
> > >with.  Upon failure it should result in some kind of error.  Sun
> > might
> > >care about this...
> > >
> > >-e
> > >
> > >On Tue, 12 Aug 2003, Jeff Tulley wrote:
> > >
> > >  
> > >
> > >>It is highly possible that this is dependent on the JVM you have
> > >>ins

Re: security hole on windows Apache -> Tomcat?

2003-08-14 Thread Paul Sundling

You actually do can that if you had a servlet on the outside that 
forwarded the request to the appropriate JSPs.A simple example is if 
you use the struts framework, the following is an example of how you 
could use that approach.  I just tested it and it worked fine:

[snip from struts-config.xml]
  
[end snip]
Angus Mezick wrote:

Not at the current late stage of development we are currently in.  I
know, it bites.  I am going to try a trick with RedirectMatch.  Maybe
just redirect them into limbo, I don't know.
 

-Original Message-
From: Ralph Einfeldt [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 13, 2003 11:45 AM
To: Tomcat Users List
Subject: RE: security hole on windows Apache -> Tomcat?

Can you arrange your file layout in a way, that the jsp's aren't 
under the document root for apache ? (I guess they are, otherwise
apache couldn't show them)

   

-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 13, 2003 5:34 PM
To: Tomcat Users List
Subject: RE: security hole on windows Apache -> Tomcat?
I ONLY see the problem in apache.  So I think it is a 
 

config problem.
   

Will the jk2 URI :
[uri:www.SITENAME.org/*.jsp]  catch www.SITENAME.org/index.jsp%20 ?
When I turn on the accessvalve tomcat doesn't see this request.
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
   

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: security hole on windows Apache -> Tomcat?

2003-08-14 Thread Ralph Einfeldt

Can you arrange your file layout in a way, that the jsp's aren't 
under the document root for apache ? (I guess they are, otherwise
apache couldn't show them)


> -Original Message-
> From: Angus Mezick [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 13, 2003 5:34 PM
> To: Tomcat Users List
> Subject: RE: security hole on windows Apache -> Tomcat?
> 
> 
> I ONLY see the problem in apache.  So I think it is a config problem.
> Will the jk2 URI :
> [uri:www.SITENAME.org/*.jsp]  catch www.SITENAME.org/index.jsp%20 ?
> When I turn on the accessvalve tomcat doesn't see this request.
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: security hole on windows Apache -> Tomcat?

2003-08-14 Thread Angus Mezick

Not at the current late stage of development we are currently in.  I
know, it bites.  I am going to try a trick with RedirectMatch.  Maybe
just redirect them into limbo, I don't know.

> -Original Message-
> From: Ralph Einfeldt [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, August 13, 2003 11:45 AM
> To: Tomcat Users List
> Subject: RE: security hole on windows Apache -> Tomcat?
> 
> 
> Can you arrange your file layout in a way, that the jsp's aren't 
> under the document root for apache ? (I guess they are, otherwise
> apache couldn't show them)
> 
> 
> > -Original Message-
> > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, August 13, 2003 5:34 PM
> > To: Tomcat Users List
> > Subject: RE: security hole on windows Apache -> Tomcat?
> > 
> > 
> > I ONLY see the problem in apache.  So I think it is a 
> config problem.
> > Will the jk2 URI :
> > [uri:www.SITENAME.org/*.jsp]  catch www.SITENAME.org/index.jsp%20 ?
> > When I turn on the accessvalve tomcat doesn't see this request.
> > 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: security hole on windows Apache -> Tomcat?

2003-08-14 Thread Jeff Tulley

Yes, but all Apache does is redirect the request to Tomcat for handling.
 Tomcat itself decides whether to compile the JSP or serve the file as a
"static file" (and hence, show the source).  I saw this problem both
directly to Tomcat (8080), and through Apache integration, until I did
the workaround.

There IS somebody on the Tomcat development list who still has the
problem -- he is running Tomcat as a Windows Service, with Apache
integration, and the workaround doesn't seem to work.  I cannot
duplicate since I don't run it as a service or use mod_jk2 like he is.

Are you sure you still see this with the workaround?  It went away for
me even with my apache-served urls.  Also, is backrevving the JVM to
1.4.1 an option for you?  I'd try that and see if that fixes the
problem.

The behaviour of your site WAS exactly the same as mine once I was able
to get the problem to happen on my box, so it seems like we are all
seeing the same thing.

Jeff Tulley  ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com

>>> [EMAIL PROTECTED] 8/13/03 6:53:39 AM >>>
Ok.  I have this problem but it isn't tomcat that is doing the serving
of the JSP source.  It is apache.  This is my workers2.properties uri
section:


[uri:www.SITENAME.org/*.jsp]
group=lbWWW
[uri:www.SITENAME.org/*.adp]
group=lbWWW
[uri:www.SITENAME.org/*.inc]
group=lbWWW
[uri:www.SITENAME.org/servlet/*]
group=lbWWW
[uri:www.SITENAME.org/*.gs]
group=lbWWW


I am guessing the problem is because
http://www.SITENAME.org/index.jsp%20 is not a match for
http://www.SITENAME.org/*.jsp  (that trailing space messes stuff up.
Should I just create a RedirectMatch for this case that removes all
trailing whitespace?  Would mod_rewrite be better for this?  I am
using
this list for this question because I KNOW the apache list doesn't
want
tomcat integration questions.
--Angus


> -Original Message-
> From: Jeff Tulley [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, August 12, 2003 9:14 PM
> To: [EMAIL PROTECTED] 
> Subject: Re: security hole on windows tomcat?
> 
> 
> I've verified that this workaround stops the problem on Win XP's
1.4.2
> and on NetWare's 1.4.2
> 
> Jeff Tulley  ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com 
> 
> >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>>
> Sorry I've just realize this thread may be related to bugtraq 
> #4895132 
> 
> (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The
> workaround 
> is to add the following property when starting Tomcat:
> 
> -Dsun.io.useCanonCaches=false
> 
> Can someone try it and let me know if it change something. If this is

> not working, then point me to a very simple test case and I 
> will file a
> 
> new bugtraq bug.
> 
> -- Jeanfrancois
> 
> 
> Eric J. Pinnell wrote:
> 
> >I think at this point this might be a worthwile canidate for Sun's
> >bugparade.  At least get it on their radars (if they don't know
about
> it
> >already).  It's interesting that the bug doesn't show up in Tomcat
> 4.1.27.
> >When 1.4.2 was released 4.1.24 was the latest stable build.
> >
> >Regardless the JDK/appserver/whatever should never puke it's guts
and
> spit
> >out the source code when it gets a request it doesn't know how to
> deal
> >with.  Upon failure it should result in some kind of error.  Sun
> might
> >care about this...
> >
> >-e
> >
> >On Tue, 12 Aug 2003, Jeff Tulley wrote:
> >
> >  
> >
> >>It is highly possible that this is dependent on the JVM you have
> >>installed.  I actually finally WAS able to see this on Windows XP,
> but
> >>only if Tomcat was running on JVM 1.4.2.  The problem did NOT
happen
> >>with 1.4.1.  Of course, JVM version is the one item I left off of
my
> >>"poll" in my email below.  :)
> >>
> >>I'm trying to verify this on other OS's and track down what the
> actual
> >>problem is.
> >>
> >>But, if you run Tomcat on JVM 1.4.2, verify if you have this
> problem.
> >>
> >>Jeff Tulley  ([EMAIL PROTECTED])
> >>(801)861-5322
> >>Novell, Inc., The Leading Provider of Net Business Solutions
> >>http://www.novell.com 
> >>
> >>
> >>
> >[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
> >  
> >
> >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost
> via
> >>either port 8080 or port 80 - pages return fine without the %20
> >>suffix,
> >>always return http 404 with the suffix.
> >>
> >>Murray
> >>-Original Message-
> >>From: Jeff Tulley [mailto:[EMAIL PROTECTED] 
> >>Sent: Wednesday, 13 August 2003 02:41
> >>To: [EMAIL PROTECTED] 
> >>Subject: RE: security hole on windows tomcat?
> >>
> >>
> >>So this issue is confusing.  It seems that indeed there IS an
issue,
> >>though most cannot see a problem.
> >>Talking to some people off-list, it seems that some think it is a
> JK2
> >>/
> >>workers2.properties issue.  But I'm pretty sure that others have
> seen
> >>this going directly to port 8080.
> >>We probably need to tak

RE: security hole on windows Apache -> Tomcat?

2003-08-14 Thread Angus Mezick

Here is the redirect that I use in my virtualhost entry in apache:
RedirectMatch (.*?)\s+$ http://www.SITENAMEHERE.org$1
Nicely stops the problem of people adding spaces to their url's. (or any
other whitespace for that matter)
--Angus

> -Original Message-
> From: Angus Mezick 
> Sent: Wednesday, August 13, 2003 1:56 PM
> To: Tomcat Users List
> Subject: RE: security hole on windows Apache -> Tomcat?
> 
> 
> Not at the current late stage of development we are currently in.  I
> know, it bites.  I am going to try a trick with RedirectMatch.  Maybe
> just redirect them into limbo, I don't know.
> 
> > -Original Message-
> > From: Ralph Einfeldt [mailto:[EMAIL PROTECTED] 
> > Sent: Wednesday, August 13, 2003 11:45 AM
> > To: Tomcat Users List
> > Subject: RE: security hole on windows Apache -> Tomcat?
> > 
> > 
> > Can you arrange your file layout in a way, that the jsp's aren't 
> > under the document root for apache ? (I guess they are, otherwise
> > apache couldn't show them)
> > 
> > 
> > > -Original Message-----
> > > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, August 13, 2003 5:34 PM
> > > To: Tomcat Users List
> > > Subject: RE: security hole on windows Apache -> Tomcat?
> > > 
> > > 
> > > I ONLY see the problem in apache.  So I think it is a 
> > config problem.
> > > Will the jk2 URI :
> > > [uri:www.SITENAME.org/*.jsp]  catch 
> www.SITENAME.org/index.jsp%20 ?
> > > When I turn on the 
> accessvalve tomcat doesn't see this request.
> > > 
> > 
> > 
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > 
> > 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: security hole on windows Apache -> Tomcat?

2003-08-14 Thread Angus Mezick

Ok.  I have this problem but it isn't tomcat that is doing the serving
of the JSP source.  It is apache.  This is my workers2.properties uri
section:


[uri:www.SITENAME.org/*.jsp]
group=lbWWW
[uri:www.SITENAME.org/*.adp]
group=lbWWW
[uri:www.SITENAME.org/*.inc]
group=lbWWW
[uri:www.SITENAME.org/servlet/*]
group=lbWWW
[uri:www.SITENAME.org/*.gs]
group=lbWWW


I am guessing the problem is because
http://www.SITENAME.org/index.jsp%20 is not a match for
http://www.SITENAME.org/*.jsp  (that trailing space messes stuff up.
Should I just create a RedirectMatch for this case that removes all
trailing whitespace?  Would mod_rewrite be better for this?  I am using
this list for this question because I KNOW the apache list doesn't want
tomcat integration questions.
--Angus


> -Original Message-
> From: Jeff Tulley [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, August 12, 2003 9:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: security hole on windows tomcat?
> 
> 
> I've verified that this workaround stops the problem on Win XP's 1.4.2
> and on NetWare's 1.4.2
> 
> Jeff Tulley  ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com
> 
> >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>>
> Sorry I've just realize this thread may be related to bugtraq 
> #4895132 
> 
> (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The
> workaround 
> is to add the following property when starting Tomcat:
> 
> -Dsun.io.useCanonCaches=false
> 
> Can someone try it and let me know if it change something. If this is 
> not working, then point me to a very simple test case and I 
> will file a
> 
> new bugtraq bug.
> 
> -- Jeanfrancois
> 
> 
> Eric J. Pinnell wrote:
> 
> >I think at this point this might be a worthwile canidate for Sun's
> >bugparade.  At least get it on their radars (if they don't know about
> it
> >already).  It's interesting that the bug doesn't show up in Tomcat
> 4.1.27.
> >When 1.4.2 was released 4.1.24 was the latest stable build.
> >
> >Regardless the JDK/appserver/whatever should never puke it's guts and
> spit
> >out the source code when it gets a request it doesn't know how to
> deal
> >with.  Upon failure it should result in some kind of error.  Sun
> might
> >care about this...
> >
> >-e
> >
> >On Tue, 12 Aug 2003, Jeff Tulley wrote:
> >
> >  
> >
> >>It is highly possible that this is dependent on the JVM you have
> >>installed.  I actually finally WAS able to see this on Windows XP,
> but
> >>only if Tomcat was running on JVM 1.4.2.  The problem did NOT happen
> >>with 1.4.1.  Of course, JVM version is the one item I left off of my
> >>"poll" in my email below.  :)
> >>
> >>I'm trying to verify this on other OS's and track down what the
> actual
> >>problem is.
> >>
> >>But, if you run Tomcat on JVM 1.4.2, verify if you have this
> problem.
> >>
> >>Jeff Tulley  ([EMAIL PROTECTED])
> >>(801)861-5322
> >>Novell, Inc., The Leading Provider of Net Business Solutions
> >>http://www.novell.com 
> >>
> >>
> >>
> >[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
> >  
> >
> >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost
> via
> >>either port 8080 or port 80 - pages return fine without the %20
> >>suffix,
> >>always return http 404 with the suffix.
> >>
> >>Murray
> >>-Original Message-
> >>From: Jeff Tulley [mailto:[EMAIL PROTECTED] 
> >>Sent: Wednesday, 13 August 2003 02:41
> >>To: [EMAIL PROTECTED] 
> >>Subject: RE: security hole on windows tomcat?
> >>
> >>
> >>So this issue is confusing.  It seems that indeed there IS an issue,
> >>though most cannot see a problem.
> >>Talking to some people off-list, it seems that some think it is a
> JK2
> >>/
> >>workers2.properties issue.  But I'm pretty sure that others have
> seen
> >>this going directly to port 8080.
> >>We probably need to take a quick poll:
> >>
> >>If you have seen this security problem of being able to view JSP
> >>source, in what scenario(s)?
> >>
> >>Tomcat version
> >>OS version
> >>Directly to Tomcat ("8080") or through Apache - JK or JK2?
> >>(If you've seen the problem, please include your workers or
> >>workers2.properties file, with a .txt extension)
> >>Browser version(s)
> >>url's where this was seen or not seen
> >>
> >>If you have seen this in multiple scenarios, and not in others,
> please
> >>list each separately.
> >>
> >>
> >>I have NOT seen it in the following scenarios:
> >>
> >>Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27
> >>Windows 2000 5.00.2195 Service Pack 4
> >>Directly to port 8080
> >>Internet Explorer 6.0.2800.1106 with all security patches up to date
> >>I tried  http://(url):8080/index.jsp%20 
> >>
> >>Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only
> >>adding one JNDIRealm beyond the default config)
> >>Novell NetWare 6.5
> >>Directly to port 8080, and through Apache - mod_jk.nlm
> >>Internet Explorer 6.0.2800.1106 with all security patches up to date
> >>I tried  http://(url):8080/index.

RE: security hole on windows Apache -> Tomcat?

Re: security hole on windows Apache -> Tomcat?

RE: security hole on windows Apache -> Tomcat?

RE: security hole on windows Apache -> Tomcat?

RE: security hole on windows Apache -> Tomcat?

RE: security hole on windows Apache -> Tomcat?

RE: security hole on windows Apache -> Tomcat?

7 matches

Site Navigation

Mail list logo

Footer information