Re: mod_jk multiple slashes reveals jsp code
Palle Girgensohn wrote: --On onsdag, juni 25, 2003 11.16.02 +0200 Henri Gomez [EMAIL PROTECTED] wrote: Palle Girgensohn wrote: Hi, When using mod_jk and apache13: JkMount /app/*jsp ajp13 will redirect requests like http://server/app/foobar.jsp to tomcat, just fine. But, http://server//app/foobar.jsp will not be catched by JkMount, and apache will send the jsp source code to the browser. Of course, a rewrite can hinder this, but is it really meant to be this way? Is it just me having problems? Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got a 404 instead. BTW, I'm using JkMount /app/* ajp13 That's a different rule, match rule instead of suffix rule. The same code is responsible, though. If you get a 404, it is apache that cannot find the file you try to access for some other reason. The request never gets to tomcat. I too get 404 with that rule when accessing servlets this way, but I get jsp source code. Problem is that mod_jk only does a strncmp and never bothers to check for anomalities in the URL. The mod_jk design never cares about this problem, which is strange. It is coded this way on purpose. It not a bug, it is a design flaw. :( Could we stop useless critics and flams and be more positives. It's open source, and if you have objections, you're welcome to provide fixes. Never forget that mod_jk WAS DESIGNED to be cross web server compatible and that's why some of the Apache functions are not used. BTW, on the Tomcat side, there is some URI checks since this problem could also appears when using the built-in http connector. In the actual case the problem seems to be that Apache handle the jsp directly since it didn't forward it to tomcat (probably because apache and tomcat run on the same machine) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
On Thu, 26 Jun 2003, Henri Gomez wrote: Could we stop useless critics and flams and be more positives. I'm sorry that you think it is useless to point out the specific areas where mod_jk and mod_jk2 are doing things wrong. It's open source, and if you have objections, you're welcome to provide fixes. To be honest, that isn't too appealing given the sad state of all the different connectors available and the extremely poor state of documentation about what is what and how things are supposed to work. But that is irrelevant, and doesn't change the validity of pointing out what things are problems and why. What is the release plan for mod_jk2? Is there any plan for making it production quality? There doesn't seem to be much happening with it. Is one better served to work on mod_jk instead and give up on mod_jk2? Never forget that mod_jk WAS DESIGNED to be cross web server compatible and that's why some of the Apache functions are not used. mod_jk is the Apache specific module. The fact that there are other modules using some shared code that are specific to other webservers doesn't change anything. Web server specific plugins are the things that should tie tomcat in with the way the particular webserver works. It is quite sad to see how much worse webserver plugins have gotten since the days of mod_jserv. BTW, on the Tomcat side, there is some URI checks since this problem could also appears when using the built-in http connector. In the actual case the problem seems to be that Apache handle the jsp directly since it didn't forward it to tomcat (probably because apache and tomcat run on the same machine) The problem isn't that Apache doesn't forward it, the problem is that mod_jk doesn't forward it because it reimplements things that Apache can do for it a lot better and in a way that ensures it is compatible with everything else happening in the webserver. The same applies to other webservers. The mapping of what things should be passed to tomcat and what things shouldn't is a security critical area that can not be glossed over with a ahh, we'll just make up our own way of doing things since it means we don't have to bother with the webserver. It is a plugin for the webserver, you have to bother with how the webserver works. It was a bad design decision to take the shortcut of trying to embed all the configuration within shared code and reuse it for every webserver. By describing the problems, I'm hoping that someone who does have the time right now can actually make one of the multitude of Apache -- tomcat connectors into something production quality without gaping security, performance, and stability issues. If not, then it will have to wait until I am at a point in my day job where we need to be deploying our applications and they need to actually work right and I'll worry about it then. Oh, for whoever is trying to actually make mod_jk work right... you may be able to do a SetHandler jakarta-servlet inside a Files section in a Directory section, not sure if it supports it properly or not, although that doesn't let you specify a specific worker. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
Marc Slemko wrote: On Thu, 26 Jun 2003, Henri Gomez wrote: Could we stop useless critics and flams and be more positives. I'm sorry that you think it is useless to point out the specific areas where mod_jk and mod_jk2 are doing things wrong. If jk's does some things wrong, we're open to make them evolve, that's a devel list after all. It's open source, and if you have objections, you're welcome to provide fixes. To be honest, that isn't too appealing given the sad state of all the different connectors available and the extremely poor state of documentation about what is what and how things are supposed to work. But that is irrelevant, and doesn't change the validity of pointing out what things are problems and why. Sad state, are you sure ? There is plenty of sites which use it everyday for their productions purposes. No documentation, you're kidding, did you take a look at online documentation at : http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/doc/ http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk2/doc/ What is the release plan for mod_jk2? Is there any plan for making it production quality? There doesn't seem to be much happening with it. Is one better served to work on mod_jk instead and give up on mod_jk2? We need more contributors, so once again you're welcome. Mladen and Costin make a great works in jk2 and there is now need for more serious tests and fix before it came production ready. Never forget that mod_jk WAS DESIGNED to be cross web server compatible and that's why some of the Apache functions are not used. mod_jk is the Apache specific module. The fact that there are other modules using some shared code that are specific to other webservers doesn't change anything. Of course but the 'common' modules make handle things which could be some time delegated to specific webservers, that's one of the big diff between jk and jk2. Web server specific plugins are the things that should tie tomcat in with the way the particular webserver works. All connectors works is done now on jakarta-tomcat-connectors and jk, jk2, coyote, http11 live there and are use by TC3/4/5. It is quite sad to see how much worse webserver plugins have gotten since the days of mod_jserv. Well there is 3 solutions for you : - You contribute code to make mod_jk/mod_jk2 better. - You get mod_jserv sources and make a successor, ie mod_jserv2, which will deprecate mod_jk easily if it perform better. - You develop a whole new connector module for Apache 1.3/Apache 2.0/IIS/Domino/iPlanet. Thanks to stop this flam thread if you only have critics to formulate and no suggestions or fixes. This is tomcat-dev list, pas le 'bureau des pleurs'. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
Marc Slemko wrote: On Thu, 26 Jun 2003, Henri Gomez wrote: By describing the problems, I'm hoping that someone who does have the time right now can actually make one of the multitude of Apache -- tomcat connectors into something production quality without gaping security, performance, and stability issues. If not, then it will have to wait until I am at a point in my day job where we need to be deploying our applications and they need to actually work right and I'll worry about it then. Oh, for whoever is trying to actually make mod_jk work right... you may be able to do a SetHandler jakarta-servlet inside a Files section in a Directory section, not sure if it supports it properly or not, although that doesn't let you specify a specific worker. Nice whine ;-) If you someday choose to dedicate the same kind of effort on contributing to TC, I would be very happy (a a lot of people would be very grateful too) :) Remy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: mod_jk multiple slashes reveals jsp code
Hello, You are receiving this message in follow-up to a report received by the EarthLink Abuse Department. You may have submitted this report to a number of addresses including but not limited to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], or [EMAIL PROTECTED] Most reports of network abuse sent to this department fall into a few recognizable categories (spam, cracking, viruses, etc.). To increase efficiency, our filters scan incoming reports and attempt to determine the general type of issue being reported. We were not able to process your report because it does not appear to include the information needed for EarthLink Abuse to begin it's investigation. Evidence to Abuse should always include the IP address of the offending party and a valid timestamp, which includes time, date and timezone. To learn how to report spam so action is taken: http://spam.abuse.net/userhelp/howtocomplain.shtml To learn how to locate and interpret e-mail headers in your e-mail client: http://support.earthlink.net/support/TUTORIALS/email/mbx_interpret_headers.jsp Other useful lookup tools: http://samspade.org/ Once you have included the pertinent information needed, please resubmit your report, and include this autoresponse. Your report will then be reprocessed by our filters. However, you should expect to receive another auto-response after your resubmission is re-examined, but due to the large number of reports we receive, please understand that you may not receive a personal response. Our policies can be found at the following page: http://earthlink.net/about/policies/ Thanks, The EarthLink Abuse Staff Marc Slemko wrote: On Thu, 26 Jun 2003, Henri Gomez wrote: By describing the problems, I'm hoping that someone who does have the time right now can actually make one of the multitude of Apache -- tomcat connectors into something production quality without gaping security, performance, and stability issues. If not, then it will have to wait until I am at a point in my day job where we need to be deploying our applications and they need to actually work right and I'll worry about it then. Oh, for whoever is trying to actually make mod_jk work right... you may be able to do a SetHandler jakarta-servlet inside a Files section in a Directory section, not sure if it supports it properly or not, although that doesn't let you specify a specific worker. Nice whine ;-) If you someday choose to dedicate the same kind of effort on contributing to TC, I would be very happy (a a lot of people would be very grateful too) :) Remy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
Palle Girgensohn wrote: Hi, When using mod_jk and apache13: JkMount /app/*jsp ajp13 will redirect requests like http://server/app/foobar.jsp to tomcat, just fine. But, http://server//app/foobar.jsp will not be catched by JkMount, and apache will send the jsp source code to the browser. Of course, a rewrite can hinder this, but is it really meant to be this way? Is it just me having problems? Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got a 404 instead. BTW, I'm using JkMount /app/* ajp13 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
setup:
FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and
1.2.4. Tomcat version is irrelevant since the request never leaves apache,
but anyway, it is tomcat 3.3.1a.
JkMount /pp/system/*jsp
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (460)]: Into
jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (477)]: Attempting to map
URI '/pp/entrance/login.jsp'
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (558)]:
jk_uri_worker_map_t::map_uri_to_worker, Found a suffix match tomcat - *.jsp
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (460)]: Into
jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (477)]: Attempting to map
URI '//pp/entrance/login.jsp'
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (599)]:
jk_uri_worker_map_t::map_uri_to_worker, done without a match
map_uri_to_worker just makes an exact match, in my case //pp/system
against /pp/system/, actually on line 485:
if(0 == strncmp(uwr-context,
uri,
uwr-ctxt_len)) {
double slashes after /pp/system/ are OK, they will be sent on to tomcat,
which has code to handle this.
I enclose a lazy patch that makes double slashes in any request to a jsp
file, up to the length of the configured context, to be classed as a
security fraud. This will make mod_jk handle this request to tomcat anyway.
Note that in the example above, this means that tomcat will get any request
to a jsp file where there is double slashes in the first 12 characters
(12==strlen(/pp/system/);). Of course, tomcat will issue a 404 if it has
no file to serve, but without this patch, apache would do the 404 in that
case. AFAIK, this hardly matters, but confuse someone? Confusion is
probably less than without the patch, though... ;-)
Cheers,
Palle
--On tisdag, juni 24, 2003 19.51.43 +0200 Yann Cébron [EMAIL PROTECTED]
wrote:
Hello Palle,
I can confirm this bug on Win2K using Apache 2.0.44 with TC4.1.24 and
setting mod_jk to auto-config. What's your exact setup regarding mod_jk ?
Greetings,
Yann
--- common/jk_uri_worker_map.c.orig Wed Jun 25 03:43:05 2003
+++ common/jk_uri_worker_map.c Wed Jun 25 03:43:10 2003
@@ -156,6 +156,16 @@
*/
return i;
}
+ if (strnstr(uri, //, uw_map-maps[i]-ctxt_len)) {
+/*
+ * Security violation !!!
+* The request to a file to a file with a
+* configured jsp suffix has // (multiple
+* slashes). If we don't expect a fraud here,
+* apache will serve the jsp source code
+ */
+ return i;
+ }
}
}
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
Palle Girgensohn wrote: setup: FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 1.2.4. Tomcat version is irrelevant since the request never leaves apache, but anyway, it is tomcat 3.3.1a. JkMount /pp/system/*jsp Shouldn't it be : JkMount /pp/system/*.jsp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
--On onsdag, juni 25, 2003 11.41.29 +0200 Henri Gomez [EMAIL PROTECTED] wrote: Palle Girgensohn wrote: setup: FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 1.2.4. Tomcat version is irrelevant since the request never leaves apache, but anyway, it is tomcat 3.3.1a. JkMount /pp/system/*jsp Shouldn't it be : JkMount /pp/system/*.jsp Of course it is, sorry! I have the dot, I just missed writing in my email. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
Palle Girgensohn wrote: --On onsdag, juni 25, 2003 11.41.29 +0200 Henri Gomez [EMAIL PROTECTED] wrote: Palle Girgensohn wrote: setup: FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 1.2.4. Tomcat version is irrelevant since the request never leaves apache, but anyway, it is tomcat 3.3.1a. JkMount /pp/system/*jsp Shouldn't it be : JkMount /pp/system/*.jsp Of course it is, sorry! I have the dot, I just missed writing in my email. What's your webapp name ? pp ? What happen if you use JkMount /pp/* ajp13 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
On Wed, 25 Jun 2003, Palle Girgensohn wrote:
setup:
FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and
1.2.4. Tomcat version is irrelevant since the request never leaves apache,
but anyway, it is tomcat 3.3.1a.
JkMount /pp/system/*jsp
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (460)]: Into
jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (477)]: Attempting to map
URI '/pp/entrance/login.jsp'
[Wed Jun 25 01:32:48 2003] [jk_uri_worker_map.c (558)]:
jk_uri_worker_map_t::map_uri_to_worker, Found a suffix match tomcat - *.jsp
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (460)]: Into
jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (477)]: Attempting to map
URI '//pp/entrance/login.jsp'
[Wed Jun 25 01:33:14 2003] [jk_uri_worker_map.c (599)]:
jk_uri_worker_map_t::map_uri_to_worker, done without a match
map_uri_to_worker just makes an exact match, in my case //pp/system
against /pp/system/, actually on line 485:
if(0 == strncmp(uwr-context,
uri,
uwr-ctxt_len)) {
double slashes after /pp/system/ are OK, they will be sent on to tomcat,
which has code to handle this.
This reflects a design problem in mod_jk. Instead of using Apache's
support for Directory sections and handlers, it attempts to
reimplement it on its own. This is one example of where it doesn't
work and exposes a security issue. There are a lot of other examples,
especially on windows, where there is a lot of filename variance.
When you are protecting (in this case, by forwarding to something
else to handle them) files, you will expose yourself to a wide
variety of security holes if you attempt to do so based on URI
instead of on the canonical version of the path.
There is a related problem in mod_jk2 that I ran into, which results
in breaking any attempt to use a DirectoryIndex setting with
index.jsp or some such in it. If you configure mod_jk2 to
handle *.jsp, it assumes that if you get a request for foo.jsp then
tomcat should handle it even if foo.jsp doesn't exist, so it sends the
request to tomcat even if there is no such file. Same underlying
cause: trying to dispatch based on parsing the URI instead of
using Apache's built in support for doing such things in a more
graceful and robust manner. Even more horrible is the fact that
mod_jk2 lets you enclose things in Location sections such as:
Location /*.jsp
JkUriSet group ajp13:worker1
/Location
...only it uses some horrible hacked up kludge to actually
parse the argument to the Location itself. Even though this
is a Location directive, because of mod_jk2's very odd
design the arguments are interpreted completely differently
from how Apache does, which leads to all sorts of chaos.
If I recall correctly, and I haven't checked for a few months, I
think there are some comments in the mod_jk2 code indicating that
support for using it as an Apache handler was removed because the
person hacking on it didn't understand why it is necessary.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk multiple slashes reveals jsp code
--On onsdag, juni 25, 2003 11.16.02 +0200 Henri Gomez [EMAIL PROTECTED] wrote: Palle Girgensohn wrote: Hi, When using mod_jk and apache13: JkMount /app/*jsp ajp13 will redirect requests like http://server/app/foobar.jsp to tomcat, just fine. But, http://server//app/foobar.jsp will not be catched by JkMount, and apache will send the jsp source code to the browser. Of course, a rewrite can hinder this, but is it really meant to be this way? Is it just me having problems? Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got a 404 instead. BTW, I'm using JkMount /app/* ajp13 That's a different rule, match rule instead of suffix rule. The same code is responsible, though. If you get a 404, it is apache that cannot find the file you try to access for some other reason. The request never gets to tomcat. I too get 404 with that rule when accessing servlets this way, but I get jsp source code. Problem is that mod_jk only does a strncmp and never bothers to check for anomalities in the URL. The mod_jk design never cares about this problem, which is strange. It is coded this way on purpose. It not a bug, it is a design flaw. :( /Palle - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
