Re: mod_jk multiple slashes reveals jsp code

2003-06-26 Thread Henri Gomez
Palle Girgensohn wrote:
--On onsdag, juni 25, 2003 11.16.02 +0200 Henri Gomez 
[EMAIL PROTECTED] wrote:

Palle Girgensohn wrote:

Hi,

When using mod_jk and apache13:

JkMount /app/*jsp ajp13

will redirect requests like http://server/app/foobar.jsp to tomcat, just
fine.
But, http://server//app/foobar.jsp will not be catched by JkMount, and
apache will send the jsp source code to the browser. Of course, a
rewrite can hinder this, but is it really meant to be this way? Is it
just me having problems?


Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got
a 404 instead.
BTW, I'm using

JkMount /app/* ajp13


That's a different rule, match rule instead of suffix rule. The same 
code is responsible, though. If you get a 404, it is apache that cannot 
find the file you try to access for some other reason. The request never 
gets to tomcat. I too get 404 with that rule when accessing servlets 
this way, but I get jsp source code.

Problem is that mod_jk only does a strncmp and never bothers to check 
for anomalities in the URL. The mod_jk design never cares about this 
problem, which is strange. It is coded this way on purpose. It not a 
bug, it is a design flaw. :(
Could we stop useless critics and flams and be more positives.

It's open source, and if you have objections, you're welcome to provide 
fixes.

Never forget that mod_jk WAS DESIGNED to be cross web server compatible 
and that's why some of the Apache functions are not used.

BTW, on the Tomcat side, there is some URI checks since this problem
could also appears when using the built-in http connector.
In the actual case the problem seems to be that Apache handle the jsp
directly since it didn't forward it to tomcat (probably because apache
and tomcat run on the same machine)




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: mod_jk multiple slashes reveals jsp code

2003-06-26 Thread Marc Slemko
On Thu, 26 Jun 2003, Henri Gomez wrote:

 Could we stop useless critics and flams and be more positives.

I'm sorry that you think it is useless to point out the specific areas
where mod_jk and mod_jk2 are doing things wrong.

 It's open source, and if you have objections, you're welcome to provide
 fixes.

To be honest, that isn't too appealing given the sad state of all
the different connectors available and the extremely poor state of
documentation about what is what and how things are supposed to
work.  But that is irrelevant, and doesn't change the validity of pointing
out what things are problems and why.

What is the release plan for mod_jk2?  Is there any plan for making it
production quality?  There doesn't seem to be much happening with it.
Is one better served to work on mod_jk instead and give up on mod_jk2?


 Never forget that mod_jk WAS DESIGNED to be cross web server compatible
 and that's why some of the Apache functions are not used.

mod_jk is the Apache specific module.  The fact that there are other
modules using some shared code that are specific to other webservers
doesn't change anything.

Web server specific plugins are the things that should tie tomcat in
with the way the particular webserver works.

It is quite sad to see how much worse webserver plugins have gotten
since the days of mod_jserv.

 BTW, on the Tomcat side, there is some URI checks since this problem
 could also appears when using the built-in http connector.

 In the actual case the problem seems to be that Apache handle the jsp
 directly since it didn't forward it to tomcat (probably because apache
 and tomcat run on the same machine)

The problem isn't that Apache doesn't forward it, the problem is that
mod_jk doesn't forward it because it reimplements things that Apache
can do for it a lot better and in a way that ensures it is compatible
with everything else happening in the webserver.  The same applies to
other webservers.  The mapping of what things should be passed to
tomcat and what things shouldn't is a security critical area that
can not be glossed over with a ahh, we'll just make up our own way of
doing things since it means we don't have to bother with the webserver.
It is a plugin for the webserver, you have to bother with how the webserver
works.

It was a bad design decision to take the shortcut of trying to embed
all the configuration within shared code and reuse it for every webserver.

By describing the problems, I'm hoping that someone who does have the
time right now can actually make one of the multitude of Apache -- tomcat
connectors into something production quality without gaping security,
performance, and stability issues.  If not, then it will have to wait
until I am at a point in my day job where we need to be deploying our
applications and they need to actually work right and I'll worry about
it then.

Oh, for whoever is trying to actually make mod_jk work right... you may
be able to do a SetHandler jakarta-servlet inside a Files section
in a Directory section, not sure if it supports it properly or not, although
that doesn't let you specify a specific worker.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: mod_jk multiple slashes reveals jsp code

2003-06-26 Thread Henri Gomez
Marc Slemko wrote:
On Thu, 26 Jun 2003, Henri Gomez wrote:


Could we stop useless critics and flams and be more positives.


I'm sorry that you think it is useless to point out the specific areas
where mod_jk and mod_jk2 are doing things wrong.
If jk's does some things wrong, we're open to make them evolve, that's a
devel list after all.
It's open source, and if you have objections, you're welcome to provide
fixes.


To be honest, that isn't too appealing given the sad state of all
the different connectors available and the extremely poor state of
documentation about what is what and how things are supposed to
work.  But that is irrelevant, and doesn't change the validity of pointing
out what things are problems and why.
Sad state, are you sure ? There is plenty of sites which use it everyday 
for their productions purposes.

No documentation, you're kidding, did you take a look at online 
documentation at :

http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/doc/

http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk2/doc/


What is the release plan for mod_jk2?  Is there any plan for making it
production quality?  There doesn't seem to be much happening with it.
Is one better served to work on mod_jk instead and give up on mod_jk2?
We need more contributors, so once again you're welcome.
Mladen and Costin make a great works in jk2 and there is now need
for more serious tests and fix before it came production ready.

Never forget that mod_jk WAS DESIGNED to be cross web server compatible
and that's why some of the Apache functions are not used.


mod_jk is the Apache specific module.  The fact that there are other
modules using some shared code that are specific to other webservers
doesn't change anything.
Of course but the 'common' modules make handle things which could be 
some time delegated to specific webservers, that's one of the big diff 
between jk and jk2.


Web server specific plugins are the things that should tie tomcat in
with the way the particular webserver works.
All connectors works is done now on jakarta-tomcat-connectors and jk, 
jk2, coyote, http11 live there and are use by TC3/4/5.

It is quite sad to see how much worse webserver plugins have gotten
since the days of mod_jserv.
Well there is 3 solutions for you :

- You contribute code to make mod_jk/mod_jk2 better.

- You get mod_jserv sources and make a successor, ie mod_jserv2, which
  will deprecate mod_jk easily if it perform better.
- You develop a whole new connector module for
  Apache 1.3/Apache 2.0/IIS/Domino/iPlanet.
Thanks to stop this flam thread if you only have critics to formulate 
and no suggestions or fixes.

This is tomcat-dev list, pas le 'bureau des pleurs'.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: mod_jk multiple slashes reveals jsp code

2003-06-26 Thread Remy Maucherat
Marc Slemko wrote:
On Thu, 26 Jun 2003, Henri Gomez wrote:

By describing the problems, I'm hoping that someone who does have the
time right now can actually make one of the multitude of Apache -- tomcat
connectors into something production quality without gaping security,
performance, and stability issues.  If not, then it will have to wait
until I am at a point in my day job where we need to be deploying our
applications and they need to actually work right and I'll worry about
it then.
Oh, for whoever is trying to actually make mod_jk work right... you may
be able to do a SetHandler jakarta-servlet inside a Files section
in a Directory section, not sure if it supports it properly or not, although
that doesn't let you specify a specific worker.
Nice whine ;-)

If you someday choose to dedicate the same kind of effort on 
contributing to TC, I would be very happy (a a lot of people would be 
very grateful too) :)

Remy

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: Re: mod_jk multiple slashes reveals jsp code

2003-06-26 Thread Earthlink Abuse Department
Hello,

You are receiving this message in follow-up to a report
received by the EarthLink Abuse Department.  You may have
submitted this report to a number of addresses including but
not limited to [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
or [EMAIL PROTECTED]

Most reports of network abuse sent to this department fall
into a few recognizable categories (spam, cracking, viruses,
etc.).  To increase efficiency, our filters scan incoming
reports and attempt to determine the general type of issue
being reported.

We were not able to process your report because it does not 
appear to include the information needed for EarthLink Abuse 
to begin it's investigation. Evidence to Abuse should always 
include the IP address of the offending party and a valid 
timestamp, which includes time, date and timezone.

To learn how to report spam so action is taken:
http://spam.abuse.net/userhelp/howtocomplain.shtml

To learn how to locate and interpret e-mail headers in your 
e-mail client:
http://support.earthlink.net/support/TUTORIALS/email/mbx_interpret_headers.jsp

Other useful lookup tools:
http://samspade.org/

Once you have included the pertinent information needed,
please resubmit your report, and include this autoresponse. 
Your report will then be reprocessed by our filters.

However, you should expect to receive another auto-response
after your resubmission is re-examined, but due to the large
number of reports we receive, please understand that you may 
not receive a personal response.

Our policies can be found at the following page:

http://earthlink.net/about/policies/

Thanks,
The EarthLink Abuse Staff


Marc Slemko wrote:
 On Thu, 26 Jun 2003, Henri Gomez wrote:
 
 By describing the problems, I'm hoping that someone who does have the
 time right now can actually make one of the multitude of Apache -- tomcat
 connectors into something production quality without gaping security,
 performance, and stability issues.  If not, then it will have to wait
 until I am at a point in my day job where we need to be deploying our
 applications and they need to actually work right and I'll worry about
 it then.
 
 Oh, for whoever is trying to actually make mod_jk work right... you may
 be able to do a SetHandler jakarta-servlet inside a Files section
 in a Directory section, not sure if it supports it properly or not, although
 that doesn't let you specify a specific worker.

Nice whine ;-)

If you someday choose to dedicate the same kind of effort on 
contributing to TC, I would be very happy (a a lot of people would be 
very grateful too) :)

Remy


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Henri Gomez
Palle Girgensohn wrote:
Hi,

When using mod_jk and apache13:

JkMount /app/*jsp ajp13

will redirect requests like http://server/app/foobar.jsp to tomcat, just 
fine.

But, http://server//app/foobar.jsp will not be catched by JkMount, and 
apache will send the jsp source code to the browser. Of course, a 
rewrite can hinder this, but is it really meant to be this way? Is it 
just me having problems?
Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got
a 404 instead.
BTW, I'm using

JkMount /app/* ajp13





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Palle Girgensohn
setup:

FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 
1.2.4. Tomcat version is irrelevant since the request never leaves apache, 
but anyway, it is tomcat 3.3.1a.

JkMount /pp/system/*jsp

[Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (460)]: Into 
jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (477)]: Attempting to map 
URI '/pp/entrance/login.jsp'
[Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (558)]: 
jk_uri_worker_map_t::map_uri_to_worker, Found a suffix match tomcat - *.jsp
[Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (460)]: Into 
jk_uri_worker_map_t::map_uri_to_worker
[Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (477)]: Attempting to map 
URI '//pp/entrance/login.jsp'
[Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (599)]: 
jk_uri_worker_map_t::map_uri_to_worker, done without a match

map_uri_to_worker just makes an exact match, in my case //pp/system 
against /pp/system/, actually on line 485:

   if(0 == strncmp(uwr-context,
   uri,
   uwr-ctxt_len)) {
double slashes after /pp/system/ are OK, they will be sent on to tomcat, 
which has code to handle this.

I enclose a lazy patch that makes double slashes in any request to a jsp 
file, up to the length of the configured context, to be classed as a 
security fraud. This will make mod_jk handle this request to tomcat anyway. 
Note that in the example above, this means that tomcat will get any request 
to a jsp file where there is double slashes in the first 12 characters 
(12==strlen(/pp/system/);). Of course, tomcat will issue a 404 if it has 
no file to serve, but without this patch, apache would do the 404 in that 
case. AFAIK, this hardly matters, but confuse someone? Confusion is 
probably less than without the patch, though... ;-)

Cheers,
Palle
--On tisdag, juni 24, 2003 19.51.43 +0200 Yann C├ębron [EMAIL PROTECTED] 
wrote:

Hello Palle,

I can confirm this bug on Win2K using Apache 2.0.44 with TC4.1.24 and
setting mod_jk to auto-config. What's your exact setup regarding mod_jk ?
Greetings,

	Yann





--- common/jk_uri_worker_map.c.orig Wed Jun 25 03:43:05 2003
+++ common/jk_uri_worker_map.c  Wed Jun 25 03:43:10 2003
@@ -156,6 +156,16 @@
  */
 return i;
 }
+   if (strnstr(uri, //, uw_map-maps[i]-ctxt_len)) {
+/* 
+ * Security violation !!!
+* The request to a file to a file with a
+* configured jsp suffix has // (multiple
+* slashes). If we don't expect a fraud here,
+* apache will serve the jsp source code
+ */
+ return i;
+   }
 }
 }
 }

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Henri Gomez
Palle Girgensohn wrote:
setup:

FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and 
1.2.4. Tomcat version is irrelevant since the request never leaves 
apache, but anyway, it is tomcat 3.3.1a.

JkMount /pp/system/*jsp
Shouldn't it be :

JkMount /pp/system/*.jsp

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Palle Girgensohn


--On onsdag, juni 25, 2003 11.41.29 +0200 Henri Gomez [EMAIL PROTECTED] 
wrote:

Palle Girgensohn wrote:
setup:

FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and
1.2.4. Tomcat version is irrelevant since the request never leaves
apache, but anyway, it is tomcat 3.3.1a.
JkMount /pp/system/*jsp
Shouldn't it be :

JkMount /pp/system/*.jsp
Of course it is, sorry! I have the dot, I just missed writing in my email.





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Henri Gomez
Palle Girgensohn wrote:


--On onsdag, juni 25, 2003 11.41.29 +0200 Henri Gomez 
[EMAIL PROTECTED] wrote:

Palle Girgensohn wrote:

setup:

FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and
1.2.4. Tomcat version is irrelevant since the request never leaves
apache, but anyway, it is tomcat 3.3.1a.
JkMount /pp/system/*jsp


Shouldn't it be :

JkMount /pp/system/*.jsp


Of course it is, sorry! I have the dot, I just missed writing in my email.
What's your webapp name ?  pp ?

What happen if you use JkMount /pp/*	ajp13



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Marc Slemko
On Wed, 25 Jun 2003, Palle Girgensohn wrote:

 setup:

 FreeBSD 4.8-RELEASE, apache 1.3.27 w/ mod-ssl 2.8.14, mod_jk 1.2.3 and
 1.2.4. Tomcat version is irrelevant since the request never leaves apache,
 but anyway, it is tomcat 3.3.1a.

 JkMount /pp/system/*jsp

 [Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (460)]: Into
 jk_uri_worker_map_t::map_uri_to_worker
 [Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (477)]: Attempting to map
 URI '/pp/entrance/login.jsp'
 [Wed Jun 25 01:32:48 2003]  [jk_uri_worker_map.c (558)]:
 jk_uri_worker_map_t::map_uri_to_worker, Found a suffix match tomcat - *.jsp
 [Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (460)]: Into
 jk_uri_worker_map_t::map_uri_to_worker
 [Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (477)]: Attempting to map
 URI '//pp/entrance/login.jsp'
 [Wed Jun 25 01:33:14 2003]  [jk_uri_worker_map.c (599)]:
 jk_uri_worker_map_t::map_uri_to_worker, done without a match

 map_uri_to_worker just makes an exact match, in my case //pp/system
 against /pp/system/, actually on line 485:

 if(0 == strncmp(uwr-context,
 uri,
 uwr-ctxt_len)) {

 double slashes after /pp/system/ are OK, they will be sent on to tomcat,
 which has code to handle this.

This reflects a design problem in mod_jk.  Instead of using Apache's
support for Directory sections and handlers, it attempts to
reimplement it on its own.  This is one example of where it doesn't
work and exposes a security issue.  There are a lot of other examples,
especially on windows, where there is a lot of filename variance.

When you are protecting (in this case, by forwarding to something
else to handle them) files, you will expose yourself to a wide
variety of security holes if you attempt to do so based on URI
instead of on the canonical version of the path.

There is a related problem in mod_jk2 that I ran into, which results
in breaking any attempt to use a DirectoryIndex setting with
index.jsp or some such in it.  If you configure mod_jk2 to
handle *.jsp, it assumes that if you get a request for foo.jsp then
tomcat should handle it even if foo.jsp doesn't exist, so it sends the
request to tomcat even if there is no such file.  Same underlying
cause: trying to dispatch based on parsing the URI instead of
using Apache's built in support for doing such things in a more
graceful and robust manner.  Even more horrible is the fact that
mod_jk2 lets you enclose things in Location sections such as:

Location /*.jsp
  JkUriSet group ajp13:worker1
/Location

...only it uses some horrible hacked up kludge to actually
parse the argument to the Location itself.  Even though this
is a Location directive, because of mod_jk2's very odd
design the arguments are interpreted completely differently
from how Apache does, which leads to all sorts of chaos.

If I recall correctly, and I haven't checked for a few months, I
think there are some comments in the mod_jk2 code indicating that
support for using it as an Apache handler was removed because the
person hacking on it didn't understand why it is necessary.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: mod_jk multiple slashes reveals jsp code

2003-06-25 Thread Palle Girgensohn
--On onsdag, juni 25, 2003 11.16.02 +0200 Henri Gomez [EMAIL PROTECTED] 
wrote:

Palle Girgensohn wrote:
Hi,

When using mod_jk and apache13:

JkMount /app/*jsp ajp13

will redirect requests like http://server/app/foobar.jsp to tomcat, just
fine.
But, http://server//app/foobar.jsp will not be catched by JkMount, and
apache will send the jsp source code to the browser. Of course, a
rewrite can hinder this, but is it really meant to be this way? Is it
just me having problems?
Didn't have such behaviour with mod_jk 1.2.4 and tomcat 3.3.1a, got
a 404 instead.
BTW, I'm using

JkMount /app/* ajp13
That's a different rule, match rule instead of suffix rule. The same code 
is responsible, though. If you get a 404, it is apache that cannot find the 
file you try to access for some other reason. The request never gets to 
tomcat. I too get 404 with that rule when accessing servlets this way, but 
I get jsp source code.

Problem is that mod_jk only does a strncmp and never bothers to check for 
anomalities in the URL. The mod_jk design never cares about this problem, 
which is strange. It is coded this way on purpose. It not a bug, it is a 
design flaw. :(

/Palle



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]