Tomcat8.0.53 & Java related issues

[zhuyix...@orientalmind.com]

Dear Sir or Madam:
Howdy.I'm a Java developer.I am learning related knowledge of 
Tomcat.Version for 8.0.53.Windows10.JDK1.8.
At present,I have some problems and I hope I can get help.
Currently I'm using the 
org.apache.catalina.util.RequestUtil.parseParameters().
I found this method deprecated after version 8.5.xx.I can't find in the 
notes or documentation why it was abandoned and what is the recommended 
alternative.
I hope you can answer it for me at your convenience. 
Thank you

Tomcat8.0.53 & Java related issues

[zhuyix...@orientalmind.com]

Dear Sir or Madam:
Howdy.I'm a Java developer.I am learning related knowledge of 
Tomcat.Version for 8.0.53.
At present,I have some problems and I hope I can get help.
Currently I'm using the 
org.apache.catalina.util.RequestUtil.parseParameters().
I found this method deprecated after version 8.5.xx.I can't find in the 
notes or documentation why it was abandoned and what is the recommended 
alternative.
I hope you can answer it for me at your convenience. 
Thank you

[ANN] Apache Tomcat 9.0.53 available

[Rémy Maucherat]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.53.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.53 is a bugfix and feature release. The notable
changes compared to 9.0.52 include:

- Add a UserDatabase implementation as a superset of the DataSourceRealm
   functionality.

- Update the internal fork of Apache Commons DBCP to 2.9.0 and Apache
   Commons Pool to 2.11.1

- Update the packaged version of the Tomcat Native Library to 1.2.31 to
   pick up Windows binaries built with OpenSSL 1.1.1l.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
http://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ApacheCon@Home, Tomcat-Track, request for input ...

[Rony G. Flatscher (Apache)]

In the meantime I have prepared a few nutshell examples to demonstrate how to 
use scripting
languages with Tomcat for the talk.

In case anyone is interested you can find them here (a rather old Linux 
machine):

  * Tomcat 9 (Java EE): , Java 8 LTS
  * Tomcat 10 (Jakarta EE): , Java 11 
LTS

The scripting languages (not sure whether I keep all of them for the talk) 
currently are:

  * ooRexx (implemented in C++ with a Java bridge)
  * JavaScript (Nashorn, JVM)
  * Groovy (JVM)
  * Jython (JVM)
  * PHP/Resin (JVM)

You will be able to see the sources of the JSPs and the code right via the 
supplied JSP-links.

Any remarks/feedback welcome!

---rony

P.S.: Please note, I will be off for a few days starting tomorrow noon such 
that the test server
will not be serviced.


On 20.08.2021 12:13, Rony G. Flatscher (Apache) wrote:
> Hi there,
>
> in a month ApacheCom@Home 2021 [1] starts and has a Tomcat Track [2] in which 
> I will present a talk
> "Apache Tomcat: Enabling Scripting Languages in JSPs" [3]. About getting 
> ready to prepare the slides
> and samples I was wondering whether anyone in the Tomcat community would have 
> questions, ideas,
> suggestions, curiosities etc. and would kindly request for input if you have 
> any.
>
> ---rony
>
> [1] ApacheCon@Home 2021: 
> [2] Tomcat track: 
> [3] Apache Tomcat: Enabling Scripting Languages in JSPs:
> 

[ANN] Apache Tomcat 10.0.11 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.0.11.

This release is targeted at Jakarta EE 9.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

The notable changes compared to 10.0.10 include:

- Add a UserDatabase implementation as a superset of the DataSourceRealm
  functionality.

- Update the internal fork of Apache Commons DBCP to 2.9.0 and Apache
  Commons Pool to 2.11.1

- Update the packaged version of the Tomcat Native Library to 1.2.31 to
  pick up Windows binaries built with OpenSSL 1.1.1l.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 10.1.0-M5 (alpha) available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.0-M5 (alpha).

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


Apache Tomcat 10.1.0-M5 is a milestone release of the 10.1.x branch and 
has been made to provide users with early access to the new features in 
Apache Tomcat 10.1.x so that they may provide feedback. The notable 
changes compared to 10.1.0-M4 include:


- Remove the deprecated APR/Native connector which includes the HTTP APR
  and the AJP APR connector. Also remove the Java interfaces to the
  APR/Native library that are not used by the OpenSSL integration for
  the NIO and NIO2 connectors.

- Add a UserDatabase implementation as a superset of the DataSourceRealm
  functionality.

- Update the internal fork of Apache Commons DBCP to 2.9.0 and Apache
  Commons Pool to 2.11.1

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.1-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: 403 Errors for REST Web Services after upgrade from 8.5.30 to 8.5.58

[Mike Webb]

I'm sorry the bottom section of the below email should instead be 

The server that does work has

Tomcat version: Apache Tomcat/8.5.30
JVM Version: 11.0.11+9-LTS
JVM Vendor: Red Hat, Inc.
OS Name: Linux
OS Version: 3.10.0-1160.31.1.el7.x86_64
OS Architecture: amd64



-Original Message-
From: Mike Webb  
Sent: 13 September 2021 3:57 PM
To: users@tomcat.apache.org
Subject: FW: 403 Errors for REST Web Services after upgrade from 8.5.30 to 
8.5.58

I manage a web application that uses REST Web Services.  After upgrading from 
8.5.30 to 8.5.58, the web services return 403 messages.

Commenting out the  and  sections below allows 
the web services to run again, but it does remove the security constraints.  
How can I get it working securely again?



admin
readonly
user

CN=ISSWA-MyWebsiteName-Admin,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate
 Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com

CN=ISSWA-MyWebsiteName-Readonly,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate
 Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com

CN=ISSWA-MyWebsiteName-User,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate
 Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com



CONFIDENTIAL



The server that does not works has
==
Tomcat Version:  Apache Tomcat/8.5.58   
JVM Version: 11.0.12+7-LTS
JVM Vendor: Red Hat, Inc.
OS Name: Linux  
OS Version: 3.10.0-1160.36.2.el7.x86_64
OS Architecture: amd64


The server that does not work has

Tomcat version: Apache Tomcat/8.5.30
JVM Version: 11.0.11+9-LTS
JVM Vendor: Red Hat, Inc.
OS Name: Linux
OS Version: 3.10.0-1160.31.1.el7.x86_64
OS Architecture: amd64


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

FW: 403 Errors for REST Web Services after upgrade from 8.5.30 to 8.5.58

[Mike Webb]

I manage a web application that uses REST Web Services.  After upgrading from 
8.5.30 to 8.5.58, the web services return 403 messages.

Commenting out the  and  sections below allows 
the web services to run again, but it does remove the security constraints.  
How can I get it working securely again?



admin
readonly
user

CN=ISSWA-MyWebsiteName-Admin,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate
 Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com

CN=ISSWA-MyWebsiteName-Readonly,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate
 Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com

CN=ISSWA-MyWebsiteName-User,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate
 Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com



CONFIDENTIAL



The server that does not works has
==
Tomcat Version:  Apache Tomcat/8.5.58   
JVM Version: 11.0.12+7-LTS
JVM Vendor: Red Hat, Inc.
OS Name: Linux  
OS Version: 3.10.0-1160.36.2.el7.x86_64
OS Architecture: amd64


The server that does not work has

Tomcat version: Apache Tomcat/8.5.30
JVM Version: 11.0.11+9-LTS
JVM Vendor: Red Hat, Inc.
OS Name: Linux
OS Version: 3.10.0-1160.31.1.el7.x86_64
OS Architecture: amd64


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Pradeep]

Hi Chris,

Take any web application try below curl command , this curl command sends
invalid Host Header application should validate  by comparing with valid
bost headers and block this request by returning 404 /403.

curl -isk -H "host:host.whitehatsec.com" "
https://staging.avoxdata.com/portal/ticket/list?offset=10_header=host

Currently it returns 302 basically redirecting invalid host which is not
right.

I found this link , solution recommended by Tomcat team "Andre".


https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack/69130997#69130997


Let me know what you think.

Regards,
Pradeep

On Mon, 13 Sep 2021, 2:44 pm Christopher Schultz, <
ch...@christopherschultz.net> wrote:

> Pradeep,
>
> On 9/13/21 09:35, Pradeep wrote:
> > Hi Chris,
> >
> > I am using Tomcat 7.0.57, I can't change the Tomcat version now. I tried
> > adding Virtual Host with RemotrHostValve to allow list of hosts but still
> > no luck.
> >
> > 
> >  > allow="*.\myapplication\.com">
>
> This is because you are trying to block the client by their identity
> (like "localhost" if you are working locally). It has nothing whatsoever
> to do with the Host header, the hostname of the server, or anything
> else. RemoteAddrValve and RemoteHostValve are completely irrelevant for
> what you are trying to do.
>
> Can you give me specific instructions for how to reproduce this "attack">?
>
> -chris
>
> > On Mon, 13 Sep 2021, 2:28 pm Christopher Schultz, <
> > ch...@christopherschultz.net> wrote:
> >
> >> Pradeep,
> >>
> >> On 9/10/21 17:38, Pradeep wrote:
> >>> My application is HTTPS not HTTP and now one of the application
> security
> >>> platforms  WhitHatSec raised this vulnerability issue.
> >>
> >> I tried to reproduce your "attack" on Tomcat 8.5.59, like this:
> >>
> >> $ cat forge
> >> GET www.microsoft.com/ HTTP/1.1
> >> Host: www.microsoft.com
> >>
> >>
> >> $ od -t x1 -a forge
> >> 00047  45  54  20  77  77  77  2e  6d  69  63  72  6f  73  6f
> 66
> >>  G   E   T  sp   w   w   w   .   m   i   c   r   o   s   o
>  f
> >> 02074  2e  63  6f  6d  2f  20  48  54  54  50  2f  31  2e  31
> 0d
> >>  t   .   c   o   m   /  sp   H   T   T   P   /   1   .   1
> cr
> >> 0400a  48  6f  73  74  3a  20  77  77  77  2e  6d  69  63  72
> 6f
> >> nl   H   o   s   t   :  sp   w   w   w   .   m   i   c   r
>  o
> >> 06073  6f  66  74  2e  63  6f  6d  0d  0a  0d  0a
> >>  s   o   f   t   .   c   o   m  cr  nl  cr  nl
> >>
> >> $ nc tomcat 8080 < forge
> >> HTTP/1.1 400
> >> Content-Type: text/html;charset=utf-8
> >> Content-Language: en
> >> Content-Length: 795
> >> Date: Mon, 13 Sep 2021 13:22:51 GMT
> >> Connection: close
> >>
> >> HTTP Status 400 – Bad
> >> Requestbody
> >> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> >> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> >> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> >> {color:black;} .line
> >>
> {height:1px;background-color:#525D76;border:none;}HTTP
> >>
> >> Status 400 – Bad RequestType Status
> >> ReportMessage Invalid URIDescription The
> >> server cannot or will not process the request due to something that is
> >> perceived to be a client error (e.g., malformed request syntax, invalid
> >> request message framing, or deceptive request routing). >> class="line" />
> >>
> >> Changing the "www.microsoft.com" to "http://www.microsoft.com; returns
> >> this:
> >>
> >> HTTP/1.1 404
> >> Content-Type: text/html;charset=utf-8
> >> Content-Language: en
> >> Content-Length: 751
> >> Date: Mon, 13 Sep 2021 13:25:22 GMT
> >>
> >> HTTP Status 404 – Not
> >> Foundbody
> >> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> >> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> >> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> >> {color:black;} .line
> >>
> {height:1px;background-color:#525D76;border:none;}HTTP
> >>
> >> Status 404 – Not FoundType Status
> >> ReportMessage The requested resource [] is not
> >> availableDescription The origin server did not find a
> >> current representation for the target resource or is not willing to
> >> disclose that one exists.Apache
> >> Tomcat/8.5.59
> >>
> >> Removing the "www.microsoft.com" from the request-line returns this:
> >>
> >> HTTP/1.1 404
> >> Content-Type: text/html;charset=utf-8
> >> Content-Language: en
> >> Content-Length: 751
> >> Date: Mon, 13 Sep 2021 13:24:34 GMT
> >>
> >> HTTP Status 404 – Not
> >> Foundbody
> >> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> >> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> >> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> >> {color:black;} .line
> >>
> {height:1px;background-color:#525D76;border:none;}HTTP
> >>
> >> Status 404 – Not FoundType Status
> >> ReportMessage The requested resource [] is not
> >> availableDescription The origin server did not find a
> >> 

Re: Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Christopher Schultz]

Pradeep,

On 9/13/21 09:35, Pradeep wrote:

I am using Tomcat 7.0.57, I can't change the Tomcat version now.


Running my previous "forge" file (with GET http://www.microsoft.com/, 
the the forged Host header) against Tomcat 7.0.57:


$ nc localhost 8080 < forge
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Mon, 13 Sep 2021 13:46:25 GMT

2000


[remainder of the "welcome" document from ROOT] context.

Changing the request line to "GET www.microsoft.com/ HTTP/1.1":

$ nc localhost 8080 < forge
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Mon, 13 Sep 2021 13:49:01 GMT
Connection: close

Changing the request line to "GET / HTTP/1.1":

$ nc localhost 8080 < forge
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Mon, 13 Sep 2021 13:49:27 GMT

2000


[welcome page, again]

I cannot reproduce your circumstances.

Please provide steps-to-reproduce.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Christopher Schultz]

Pradeep,

On 9/13/21 09:35, Pradeep wrote:

Hi Chris,

I am using Tomcat 7.0.57, I can't change the Tomcat version now. I tried
adding Virtual Host with RemotrHostValve to allow list of hosts but still
no luck.





This is because you are trying to block the client by their identity 
(like "localhost" if you are working locally). It has nothing whatsoever 
to do with the Host header, the hostname of the server, or anything 
else. RemoteAddrValve and RemoteHostValve are completely irrelevant for 
what you are trying to do.


Can you give me specific instructions for how to reproduce this "attack">?

-chris


On Mon, 13 Sep 2021, 2:28 pm Christopher Schultz, <
ch...@christopherschultz.net> wrote:


Pradeep,

On 9/10/21 17:38, Pradeep wrote:

My application is HTTPS not HTTP and now one of the application security
platforms  WhitHatSec raised this vulnerability issue.


I tried to reproduce your "attack" on Tomcat 8.5.59, like this:

$ cat forge
GET www.microsoft.com/ HTTP/1.1
Host: www.microsoft.com


$ od -t x1 -a forge
00047  45  54  20  77  77  77  2e  6d  69  63  72  6f  73  6f  66
 G   E   T  sp   w   w   w   .   m   i   c   r   o   s   o   f
02074  2e  63  6f  6d  2f  20  48  54  54  50  2f  31  2e  31  0d
 t   .   c   o   m   /  sp   H   T   T   P   /   1   .   1  cr
0400a  48  6f  73  74  3a  20  77  77  77  2e  6d  69  63  72  6f
nl   H   o   s   t   :  sp   w   w   w   .   m   i   c   r   o
06073  6f  66  74  2e  63  6f  6d  0d  0a  0d  0a
 s   o   f   t   .   c   o   m  cr  nl  cr  nl

$ nc tomcat 8080 < forge
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 795
Date: Mon, 13 Sep 2021 13:22:51 GMT
Connection: close

HTTP Status 400 – Bad
Requestbody
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}HTTP

Status 400 – Bad RequestType Status
ReportMessage Invalid URIDescription The
server cannot or will not process the request due to something that is
perceived to be a client error (e.g., malformed request syntax, invalid
request message framing, or deceptive request routing).

Changing the "www.microsoft.com" to "http://www.microsoft.com; returns
this:

HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 751
Date: Mon, 13 Sep 2021 13:25:22 GMT

HTTP Status 404 – Not
Foundbody
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}HTTP

Status 404 – Not FoundType Status
ReportMessage The requested resource [] is not
availableDescription The origin server did not find a
current representation for the target resource or is not willing to
disclose that one exists.Apache
Tomcat/8.5.59

Removing the "www.microsoft.com" from the request-line returns this:

HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 751
Date: Mon, 13 Sep 2021 13:24:34 GMT

HTTP Status 404 – Not
Foundbody
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}HTTP

Status 404 – Not FoundType Status
ReportMessage The requested resource [] is not
availableDescription The origin server did not find a
current representation for the target resource or is not willing to
disclose that one exists.Apache
Tomcat/8.5.59

Please show me what (exact) steps are required to reproduce this issue.
Also please try your "attack" against Tomcat 8.5.x and/or 9.0.x as well
as your Tomcat 7.0.x version.


I tried the above configuration mentioned but no luck but this
configuration advised in Apache website
http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters

  > to filter Host Header. I understand this is trivial but I have to fix

and I think I should handle it in the application server Tomcat7.

You can't filter-out the Host header. Well, not effectively.


I tried the below configuration but still validation is not working,
it's still redirecting other Host Headers. Please let me know what
else configuration I can try >

  >   
  >   className="org.apache.catalina.valves.RemoteAddrValve"
  > allow=".*\.myapplication1\.com|.*\myapplication2\.com"/>
  > 

You misunderstand the purpose of the RemoteAddrValve[1].

The valve enforces client identity, not the host the client is trying to
access. It also works on IP addresses, not hostnames. I'm surprised you
were able to access anything at all.

-chris

[1]

Re: Aw: Re: tomcat hangs

[Christopher Schultz]

Peter,

On 9/13/21 04:12, Peter Rader wrote:

Chris,


Gesendet: Donnerstag, 09. September 2021 um 22:15 Uhr
Von: "Christopher Schultz" 
An: users@tomcat.apache.org
Betreff: Re: Aw: tomcat hangs
Peter,

On 9/9/21 08:21, Peter Rader wrote:

I might noticed a simmilar issue: I ran the JVM in a linux OS on a VM
(in virtualbox btw). The jdk for some reason request a random number.
The JDK asks the LinuxOS for a new random number (maybe in the hope
to use a hardware-based TRNG). Since this linux in virtualbox is
not-so low-level the random number is generated due to RAM
squarenumbers, because no memory is changed - no new random number
has been generated and we get a OS-based softlock.


WHAT?

-chris


YES, id reported this many years ago 
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4952383

There is a workaround (from comments): set java.security.egd=file:/dev/urandom


That is a very very very old hack which shouldn't be required under any 
modern installation.


My "WHAT?" question was more about the string of words before that, only 
some of which coalesced into a coherent idea.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Pradeep]

Hi Chris,

I am using Tomcat 7.0.57, I can't change the Tomcat version now. I tried
adding Virtual Host with RemotrHostValve to allow list of hosts but still
no luck.




Regards,
Pradeep

On Mon, 13 Sep 2021, 2:28 pm Christopher Schultz, <
ch...@christopherschultz.net> wrote:

> Pradeep,
>
> On 9/10/21 17:38, Pradeep wrote:
> > My application is HTTPS not HTTP and now one of the application security
> > platforms  WhitHatSec raised this vulnerability issue.
>
> I tried to reproduce your "attack" on Tomcat 8.5.59, like this:
>
> $ cat forge
> GET www.microsoft.com/ HTTP/1.1
> Host: www.microsoft.com
>
>
> $ od -t x1 -a forge
> 00047  45  54  20  77  77  77  2e  6d  69  63  72  6f  73  6f  66
> G   E   T  sp   w   w   w   .   m   i   c   r   o   s   o   f
> 02074  2e  63  6f  6d  2f  20  48  54  54  50  2f  31  2e  31  0d
> t   .   c   o   m   /  sp   H   T   T   P   /   1   .   1  cr
> 0400a  48  6f  73  74  3a  20  77  77  77  2e  6d  69  63  72  6f
>nl   H   o   s   t   :  sp   w   w   w   .   m   i   c   r   o
> 06073  6f  66  74  2e  63  6f  6d  0d  0a  0d  0a
> s   o   f   t   .   c   o   m  cr  nl  cr  nl
>
> $ nc tomcat 8080 < forge
> HTTP/1.1 400
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 795
> Date: Mon, 13 Sep 2021 13:22:51 GMT
> Connection: close
>
> HTTP Status 400 – Bad
> Requestbody
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
>
> Status 400 – Bad RequestType Status
> ReportMessage Invalid URIDescription The
> server cannot or will not process the request due to something that is
> perceived to be a client error (e.g., malformed request syntax, invalid
> request message framing, or deceptive request routing). class="line" />
>
> Changing the "www.microsoft.com" to "http://www.microsoft.com; returns
> this:
>
> HTTP/1.1 404
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 751
> Date: Mon, 13 Sep 2021 13:25:22 GMT
>
> HTTP Status 404 – Not
> Foundbody
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
>
> Status 404 – Not FoundType Status
> ReportMessage The requested resource [] is not
> availableDescription The origin server did not find a
> current representation for the target resource or is not willing to
> disclose that one exists.Apache
> Tomcat/8.5.59
>
> Removing the "www.microsoft.com" from the request-line returns this:
>
> HTTP/1.1 404
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 751
> Date: Mon, 13 Sep 2021 13:24:34 GMT
>
> HTTP Status 404 – Not
> Foundbody
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
> {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
>
> Status 404 – Not FoundType Status
> ReportMessage The requested resource [] is not
> availableDescription The origin server did not find a
> current representation for the target resource or is not willing to
> disclose that one exists.Apache
> Tomcat/8.5.59
>
> Please show me what (exact) steps are required to reproduce this issue.
> Also please try your "attack" against Tomcat 8.5.x and/or 9.0.x as well
> as your Tomcat 7.0.x version.
>
> > I tried the above configuration mentioned but no luck but this
> > configuration advised in Apache website
> > http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters
>  > to filter Host Header. I understand this is trivial but I have to fix
> > and I think I should handle it in the application server Tomcat7.
> You can't filter-out the Host header. Well, not effectively.
>
> > I tried the below configuration but still validation is not working,
> > it's still redirecting other Host Headers. Please let me know what
> > else configuration I can try >
>  >   
>  >> className="org.apache.catalina.valves.RemoteAddrValve"
>  > allow=".*\.myapplication1\.com|.*\myapplication2\.com"/>
>  > 
>
> You misunderstand the purpose of the RemoteAddrValve[1].
>
> The valve enforces client identity, not the host the client is trying to
> access. It also works on IP addresses, not hostnames. I'm surprised you
> were able to access anything at all.
>
> -chris
>
> [1]
>
> http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve
>
> > On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Pradeep,
> >>
> >> On 9/10/21 06:19, 

Re: Server redirected too many times (20)

[Christopher Schultz]

Barry,

On 9/12/21 12:59, Barry Kimelman wrote:

I just installed tomcat 9.0.52 on my linux ubuntu 20.04 LTS system.

I was successfully able to run the manager app as a test.

Now I am trying to build an application that I had worked on quite a while
ago in an older version of tomcat.

I have a script which runs a series of ANT commands to build and install my
app which has always worked well.

Now with this version of tomcat when I run   ant remove I get the following
error messages

Buildfile: /home/barry/tomcat/hockey3/build.xml
Trying to override old definition of datatype resources

remove:

BUILD FAILED
/home/barry/tomcat/hockey3/build.xml:504: java.net.ProtocolException:
Server redirected too many  times (20)
at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1932)
at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
at
org.apache.catalina.ant.AbstractCatalinaTask.execute(AbstractCatalinaTask.java:224)
at
org.apache.catalina.ant.AbstractCatalinaTask.execute(AbstractCatalinaTask.java:156)
at org.apache.catalina.ant.UndeployTask.execute(UndeployTask.java:41)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1391)
at org.apache.tools.ant.Project.executeTarget(Project.java:1364)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1254)
at org.apache.tools.ant.Main.runBuild(Main.java:830)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)

Total time: 0 seconds

Here is the relavant  portion of my build.xml file


   48 

   79  
   80  

  127  
  128  
  129  
  130  
  131  
  132  
  133  
  134  http://localhost:8080/manager/text"/>
  135  
  136  

  487 
  488

  497
  498  
  500
  501
  505
  506  

I am puzzled.   What have IO done wrong ?


Try running "ant -v [target]" and see if you get more output.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Christopher Schultz]

Pradeep,

On 9/10/21 17:38, Pradeep wrote:

My application is HTTPS not HTTP and now one of the application security
platforms  WhitHatSec raised this vulnerability issue.


I tried to reproduce your "attack" on Tomcat 8.5.59, like this:

$ cat forge
GET www.microsoft.com/ HTTP/1.1
Host: www.microsoft.com


$ od -t x1 -a forge
00047  45  54  20  77  77  77  2e  6d  69  63  72  6f  73  6f  66
   G   E   T  sp   w   w   w   .   m   i   c   r   o   s   o   f
02074  2e  63  6f  6d  2f  20  48  54  54  50  2f  31  2e  31  0d
   t   .   c   o   m   /  sp   H   T   T   P   /   1   .   1  cr
0400a  48  6f  73  74  3a  20  77  77  77  2e  6d  69  63  72  6f
  nl   H   o   s   t   :  sp   w   w   w   .   m   i   c   r   o
06073  6f  66  74  2e  63  6f  6d  0d  0a  0d  0a
   s   o   f   t   .   c   o   m  cr  nl  cr  nl

$ nc tomcat 8080 < forge
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 795
Date: Mon, 13 Sep 2021 13:22:51 GMT
Connection: close

HTTP Status 400 – Bad 
Requestbody 
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b 
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a 
{color:black;} .line 
{height:1px;background-color:#525D76;border:none;}HTTP 
Status 400 – Bad RequestType Status 
ReportMessage Invalid URIDescription The 
server cannot or will not process the request due to something that is 
perceived to be a client error (e.g., malformed request syntax, invalid 
request message framing, or deceptive request routing).class="line" />


Changing the "www.microsoft.com" to "http://www.microsoft.com; returns this:

HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 751
Date: Mon, 13 Sep 2021 13:25:22 GMT

HTTP Status 404 – Not 
Foundbody 
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b 
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a 
{color:black;} .line 
{height:1px;background-color:#525D76;border:none;}HTTP 
Status 404 – Not FoundType Status 
ReportMessage The requested resource [] is not 
availableDescription The origin server did not find a 
current representation for the target resource or is not willing to 
disclose that one exists.Apache 
Tomcat/8.5.59


Removing the "www.microsoft.com" from the request-line returns this:

HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 751
Date: Mon, 13 Sep 2021 13:24:34 GMT

HTTP Status 404 – Not 
Foundbody 
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b 
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a 
{color:black;} .line 
{height:1px;background-color:#525D76;border:none;}HTTP 
Status 404 – Not FoundType Status 
ReportMessage The requested resource [] is not 
availableDescription The origin server did not find a 
current representation for the target resource or is not willing to 
disclose that one exists.Apache 
Tomcat/8.5.59


Please show me what (exact) steps are required to reproduce this issue. 
Also please try your "attack" against Tomcat 8.5.x and/or 9.0.x as well 
as your Tomcat 7.0.x version.


I tried the above configuration mentioned but no luck but this 
configuration advised in Apache website 
http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters

> to filter Host Header. I understand this is trivial but I have to fix

and I think I should handle it in the application server Tomcat7.

You can't filter-out the Host header. Well, not effectively.


I tried the below configuration but still validation is not working,
it's still redirecting other Host Headers. Please let me know what
else configuration I can try >

>   
>   className="org.apache.catalina.valves.RemoteAddrValve"
> allow=".*\.myapplication1\.com|.*\myapplication2\.com"/>
> 

You misunderstand the purpose of the RemoteAddrValve[1].

The valve enforces client identity, not the host the client is trying to 
access. It also works on IP addresses, not hostnames. I'm surprised you 
were able to access anything at all.


-chris

[1] 
http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve



On Fri, Sep 10, 2021 at 7:36 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Pradeep,

On 9/10/21 06:19, Pradeep wrote:

Hi Team,

I need your help to fix HTTP Host header attacks.
I'm currently in the process of trying to fix a site vulnerability,
basically it is one type of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website
www.hacker.com
Whenever there is a request send to www.mywebsite.com with modified