Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas wrote: > CVE-2018-11784 Apache Tomcat - Open Redirect Is it possible to get more information on the "specially crafted URL"? I'd like more information so that I can test if some of our apps are vulnerable. In addition, I'd like to verify that the value of mapperContextRootRedirectEnabled defaults to "true", so if we don't alter that value we aren't susceptible? Thanks and regards, -Mike Yoder Cloudera, Inc. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
log4j: Logging to same file from multiple contexts?
Dear Tomcat Users,
Apologies if this is more of a log4j question, but I thought that I'd start
here, in case Tomcat has any easy remedies.
I have a common webapp that I deploy to multiple, different contexts.
In log4j.properties, I have a few different log files defined, e.g., for logins:
log4j.appender.logins=org.apache.log4j.DailyRollingFileAppender
log4j.appender.logins.file=${catalina.home}/logs/logins.log
log4j.appender.logins.datePattern='.'-MM-dd
log4j.appender.logins.append=true
log4j.appender.logins.layout=org.apache.log4j.PatternLayout
log4j.appender.logins.layout.ConversionPattern=[%d{MM/dd/ HH:mm:ss}] [%p]
[%C{1}]: %m%n
log4j.logger.com.colornet.CAP.Actions.LoginAction=info, logins
log4j.logger.com.colornet.CAP.Util.LoginTokenTag=info, logins
However, as you may have guessed, if I have the same log4j configuration file
for each context, the contexts tend to over-write each other.
Is there any way to have the SAME log4j.properties deployed too multiple
contexts play nicely and not overwrite each other, but merely append each other?
Extra credit question (although sounds even more like a log4j question, so
apologies): If not, is there any way to define the file path, e.g.:
log4j.appender.logins.file=${catalina.home}/logs/logins.log
to include the specific context? I have found a few references on the 'Net,
e.g., ${contextPath}, ${servletName}, etc., which don't seem to work.
My goal (desire?) is to have the same webapp and configuration and web.xml and
log4j.properties, etc., deployed to every web context, but not have one context
overwrite another content's entries.
Of course, as the Mick once said, "You can't always have what you want".
Please let me know if this is possible.
Thanks,
Dave.
RE: Apache failed to initialize connector
Maybe I missed it but what do the Tomcat logs show when you stop and start it? Also, to further diagnose or get more of the error message you could create a batch file with this in it and put in a PAUSE to see the error message net stop "" && net start "" PAUSE -Original Message- From: Gael REYNOARD [mailto:gael.reyno...@lafon.fr] Sent: Monday, October 08, 2018 3:12 AM To: users@tomcat.apache.org Subject: Re: Apache failed to initialize connector - - - external message, proceed with caution - - - Hi Cris, I had not thought about it, so I also tested this possible solution and it also solves the problem. My other test was not conclusive, I carried out the updates of Windows and that did not change anything, if the service Tomcat starts automatically I always have the problem. But I have 2 possibilities to work around this problem: - Start service manually after starting Windows - Start service in "Automatic (Delayed Start)" Best regards, -- * Gaël REYNOARD* - Ingénieur Recherche & Développement Service *Bureau d'étude informatique* 44 avenue Victor Meunier - 33530 BASSENS Fixe 05.57.80.80.80 - Fax 05.56.31.61.21 - Poste interne 100 235 gael.reyno...@lafon.fr - www.lafon.fr Le jeu. 4 oct. 2018 à 19:54, Berneburg, Cris J. - US a écrit : > Hi Gael > > >> >> >> On 03/10/18 12:28, Gael REYNOARD wrote: > >> >> >>> Hello everybody, > >> >> >>> > >> >> >>> OS : Windows 7 Pro x64 > >> >> >>> Tomcat : 8.5.31 > >> >> >>> > >> >> >>> On a test bench, I reboot Windows to test one of our C# > >> applications. > >> >> >>> Sometimes after starting the OS, my Tomcat server fails to > >> initialize > >> >> >>> because the 8080 or 8009 port would be already used. > >> >> >> > >> >> >> How are you starting Tomcat? > >> >> >> > >> >> >> Mark > > gr> I disabled the automatic start of Tomcat service, > gr> it is launched a little later by my program in C #. > gr> After 314 startups of the OS, I did not have any exceptions. > > gr> I did not look well enough on the internet > gr> because I found this morning a post > gr> ( > https://stackoverflow.com/questions/51666952/address-bind-exception-in-tomcat > ) > gr> from someone with a similar problem and Microsoft > gr> would have provided a solution since july. > > I have not tried it myself, but have you considered the "Automatic > (Delayed Start)" Startup type in your Windows service properties? It's > available on my TC service in Windows Server 2012 R2. > > This Stack Overflow article says it waits 2 minutes: > > > https://stackoverflow.com/questions/11015189/automatic-vs-automatic-delayed-start/11015576#11015576 > > -- > Cris Berneburg, Lead Software Engineer > CACI, IRMA Project > phone: 703-679-5313 > > -Original Message- > From: Gael REYNOARD > Sent: Thursday, October 4, 2018 8:45 AM > To: users@tomcat.apache.org > Subject: Re: Apache failed to initialize connector > > Thank you so much, > > [LARGE SNIP] > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --- CONFIDENTIALITY NOTICE: This message is for intended addressee(s) only and may contain information that is confidential, proprietary or exempt from disclosure. If you are not the intended recipient, please contact the sender immediately. Unauthorized use or distribution is prohibited and may be unlawful.
Re: Apache failed to initialize connector
Hi Cris, I had not thought about it, so I also tested this possible solution and it also solves the problem. My other test was not conclusive, I carried out the updates of Windows and that did not change anything, if the service Tomcat starts automatically I always have the problem. But I have 2 possibilities to work around this problem: - Start service manually after starting Windows - Start service in "Automatic (Delayed Start)" Best regards, -- * Gaël REYNOARD* - Ingénieur Recherche & Développement Service *Bureau d'étude informatique* 44 avenue Victor Meunier - 33530 BASSENS Fixe 05.57.80.80.80 - Fax 05.56.31.61.21 - Poste interne 100 235 gael.reyno...@lafon.fr - www.lafon.fr Le jeu. 4 oct. 2018 à 19:54, Berneburg, Cris J. - US a écrit : > Hi Gael > > >> >> >> On 03/10/18 12:28, Gael REYNOARD wrote: > >> >> >>> Hello everybody, > >> >> >>> > >> >> >>> OS : Windows 7 Pro x64 > >> >> >>> Tomcat : 8.5.31 > >> >> >>> > >> >> >>> On a test bench, I reboot Windows to test one of our C# > >> applications. > >> >> >>> Sometimes after starting the OS, my Tomcat server fails to > >> initialize > >> >> >>> because the 8080 or 8009 port would be already used. > >> >> >> > >> >> >> How are you starting Tomcat? > >> >> >> > >> >> >> Mark > > gr> I disabled the automatic start of Tomcat service, > gr> it is launched a little later by my program in C #. > gr> After 314 startups of the OS, I did not have any exceptions. > > gr> I did not look well enough on the internet > gr> because I found this morning a post > gr> ( > https://stackoverflow.com/questions/51666952/address-bind-exception-in-tomcat > ) > gr> from someone with a similar problem and Microsoft > gr> would have provided a solution since july. > > I have not tried it myself, but have you considered the "Automatic > (Delayed Start)" Startup type in your Windows service properties? It's > available on my TC service in Windows Server 2012 R2. > > This Stack Overflow article says it waits 2 minutes: > > > https://stackoverflow.com/questions/11015189/automatic-vs-automatic-delayed-start/11015576#11015576 > > -- > Cris Berneburg, Lead Software Engineer > CACI, IRMA Project > phone: 703-679-5313 > > -Original Message- > From: Gael REYNOARD > Sent: Thursday, October 4, 2018 8:45 AM > To: users@tomcat.apache.org > Subject: Re: Apache failed to initialize connector > > Thank you so much, > > [LARGE SNIP] > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
