The short answers are:
1. No
2. No
The longer answer is:
This is categorically *not* a security issue with Tomcat. I have tested
this and Tomcat continues to operate correctly after a request with a
"very long" host header. This looks to me like an issue with your daemon.
And a fe
Hi,
We are using Tomcat 4.0.4 in our product. We have a daemon which is a wrapper
around the tomcat.
We are facing one security issue with the Tomcat. If we send a HTTP packet with
a long string in the Host field, it closes the connection.
EX:
>>telnet
GET /index.html HTTP/1.
All,
A security issue has come to light where a mal-formed request may result
in JSP source code disclosure.
This issue only applies if all of the following are true:
1. You are using any Tomcat 4 version >= 4.1.15
2. You are using the deprecated HTTP 1.1 connec
Any further thoughts on this issue? There must be some reason why this
won't run under Tomcat but does work stand-alone.
To recap, I am trying to execute the following code on an Xp box with Tomcat
5.0.27:
Process proc = runtime.exec("cmd.exe /C shutdown -r -f -m \\myPC -t 50");
int exitVal =
Hi,
I've tried without the cmd.exe bit and also I have tried with the service
set to run as Administrator.
Cheers
Andy
_
Stay in touch with absent friends - get MSN Messenger
http://www.msn.co.uk/messenger
-
EMAIL PROTECTED]
Sent: 29 November 2004 10:35
To: [EMAIL PROTECTED]
Subject: RE: Runtime.exec security issue?
Hi,
Actually, I was assuming this was a simple example of a runitme call.
My real goal is to allow a privelidged user to re-boot the server with the
following code:
runtime.exec("
Hi,
Actually, I was assuming this was a simple example of a runitme call.
My real goal is to allow a privelidged user to re-boot the server with the
following code:
runtime.exec("cmd.exe /C shutdown -r -f -m \\myPC -t 50");
I would also like to call a couple of batch files.
These attempts have me
You could be right. I still reckon that launching graphical programs from
tomcat is gonna be a bit dicey.
-Original Message-
From: andy wix [mailto:[EMAIL PROTECTED]
Sent: 29 November 2004 10:13
To: [EMAIL PROTECTED]
Subject: RE: Runtime.exec security issue?
Hi Matt,
I have tried
Hi Matt,
I have tried running the Tomcat service with 'allow service to interact with
desk top' checked in the service properties - I don't know if this should
allow Tomat to know about Windows?
Also, I don't think the application is actually getting launched as I don't
see it in the processes
t not displayed on the console.
-Original Message-
From: andy wix [mailto:[EMAIL PROTECTED]
Sent: 29 November 2004 09:45
To: [EMAIL PROTECTED]
Subject: Runtime.exec security issue?
Hi,
I am trying to run a simple exec command to open notepad with code as
follows:
Runtime ru
Hi,
I am trying to run a simple exec command to open notepad with code as
follows:
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec("C:\\WINDOWS\\system32\\notepad.exe");
This code works fine from a stand-alone program but not run under Tomcat.
I CAN successfully set the the sy
Hi,
I'm executing a webapp from a war file, deployed with its own context
descriptor (not autodeployed), in a host (and even context for tomcat5) with
unpackwar="false". Security is enabled and just for testing purpose
catalina.policy has a grant codebase pointing to the war with
java.security
Hi,
I'm executing a webapp from a war file, deployed with its own context
descriptor (not autodeployed), in a host (and even context for tomcat5) with
unpackwar="false". Security is enabled and just for testing purpose
catalina.policy has a grant codebase pointing to the war with
java.security
10106 (WSAEPROVIDERFAILEDINIT):
SOCKET sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
I am running Tomcat 4.1.18 on Windows 2000 without the security manager
enabled. On the same machine it works fine with the other servers.
Could this be a security issue or has anybody an idea of what is going
wrong?
Below i
http://jakarta.apache.org/tomcat/faq/misc.html#error
-Tim
Māris Orbidāns wrote:
Hello
How can I change standard Tomcat error page ?
It prints Tomcat version and our auditors said it might be a security issue.
I have servlets and JSP pages in my app. I have error-page directive in all JSP
Hello
How can I change standard Tomcat error page ?
It prints Tomcat version and our auditors said it might be a security issue.
I have servlets and JSP pages in my app. I have error-page directive in all JSP pages,
however in case of
Null Pointer Exception it's seems not working.
tha
How do you actually execute the system call. I normally use it as printed
below (on Tomcat 4.0x, Apache 1.3x, Redhat 6/7/8) and it works just fine.
String[] strCommand contains the single elements of the call, so "ls -al"
would be strCommand[0] = "ls", strCommand[1] = "-al", while "ls" obviously
wo
I wish I could see some log files. Only file that seems to be active
is catalina.out
any assistance in this matter would be appreciated
here is the entry for the service
port="8009" address="127.0.0.1" minProcessors="5"
maxProcessors="75"
enableLookups="true" appBase="webap
SecurityManager permission problems are much easier to debug if you start tomcat
with the -Djava.security.debug=access,failure property defined, then
check your logs for the string "denied". Then review the stack trace
and the ProtectionDomain which failed.
Regards,
Glenn
[EMAIL PROTECTED] wrot
yes the factoryLoaderServlet is defined
too complex and issue currently to restart without SecurityManager.
May be able to do overnight. Other dependent apps need to be up during
the day
Warren
On Wednesday, October 23, 2002, at 04:19 PM, Jean-Francois Arcand wrote:
If you run the same cod
If you run the same code without the SecurityManager, do you get the
same exception? Is the "factoryLoaderServlet" defined in your web.xml?
-- Jeanfrancois
[EMAIL PROTECTED] wrote:
thanks for the reply
my code that seems to cause the problem is as follows:
HttpSession session = reques
thanks for the reply
my code that seems to cause the problem is as follows:
HttpSession session = request.getSession();
session.setAttribute( "customerProfile", new Profile() );
session.setAttribute( "loggedIn", new Boolean( false ) );
session.setAttribute( "custom
Is alvolo.servlet.DispatcherServlet.initialiseSession try to get access
to org.apache.catalina.core.ApplicationDispatcher ? That's the normal
behaviour if your answer is yes. Tomcat internal classes are protected
against package access/insertion. If you really want to use that class,
add to you
I have the following exception thrown when attempting to access tomcat
app resources
WarpEngine[Apache - Tomcat4]: Mapping request
Security Violation, attempt to use Restricted Class:
org.apache.catalina.core.ApplicationDispatcher
java.security.AccessControlException: access denied
(java.lan
dear fellow developers,
i've got a question for you guys...i've got a auth system that
distributes keys to users once they are authenticated. users can then use
that key as a ticket to get services. now, my question is what do most of
you guys do to make your site more secure? i.e. what would
EMAIL PROTECTED]
-Original Message-
From: Sullivan, Mark E [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 26, 2002 12:07 PM
To: 'Tomcat Users List'
Subject: RE: Site Security Issue
Nothing out there is going to defeat a very skilled and determined hacker,
but SSL will defeat most of them.
nning on,
so make sure it isn't running any insecure services like telnet, ftp,
etc...
-Original Message-
From: Chris Shen [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 26, 2002 1:20 PM
To: Tomcat Users List
Subject: Site Security Issue
dear fellow developers,
i've got a q
On Wed, 3 Jul 2002, Bruno Antunes wrote:
> Date: Wed, 03 Jul 2002 18:06:57 +0100
> From: Bruno Antunes <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat User List <[EMAIL PROTECTED]>
> Subject: Security Issue with forward
&
I, have found that Tomcat only checks the if the
request comes from the client.
Let me exemplify:
- I have in the root of a webapp a jsp [lets name it index.jsp] that
forward requests to a protected resource
named protected/myProtectedResource.do [or a servlet, that will forward
requests usi
This is sort of easy... of course you run your site through Apache...
which in turns does this connection
deny from all "somedirectory"
in your application or code...
include something from "somedirectory"
todd
http://www.wiserlabz.com
collaborative effort to promote Novell and Open Sourc
PROTECTED]]
Sent: Thursday, March 21, 2002 1:18 PM
To: Tomcat Users List
Subject: Re: Apache/Tomcat security issue -- URGENT
I didn't get any responses, so I'm reposting with some summary. I'm
pretty sure some body might have a solution for this.
Summary:
Is it possible to protect
TECTED]>
Date: Wednesday, March 20, 2002 8:57 pm
Subject: Apache/Tomcat security issue -- URGENT
> I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.
>
> I've a context called WebApp whose docBase="E:\WebApp". So, when I
> point my browser to http:/
I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.
I've a context called WebApp whose docBase="E:\WebApp". So, when I
point my browser to http://localhost/WebApp/main it will take me to the
login screen of the application.
There is a folder called "Reports" in my E:\WebApp. Some part
d old nimda. but it does not affect
> your tomcat, since it
> >only attacks iis on win-systems
> >
> >> -Original Message-----
> >> From: Henry Lu [mailto:[EMAIL PROTECTED]]
> >> Sent: Thursday, January 24, 2002 6:16 PM
> >> To: [EMAIL PROTECTED]
ll do since it is already compromised) but I don't know where I
saw it.
-Original Message-
From: Henry Lu [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 24, 2002 11:44 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: security issue!
I don't have web server and app
It's an annoyance . . . . .
This is a standard worm attack. Patched IIS servers
are immune. Tomcat should be immune (the fact that
you are getting invalid URI entries in your log
suggests that you are). Apache is immune.
This attack can still fill up IIS logs, while it just
puts one entry in
looks like good old nimda. but it does not affect your tomcat, since it
>only attacks iis on win-systems
>
>> -Original Message-
>> From: Henry Lu [mailto:[EMAIL PROTECTED]]
>> Sent: Thursday, January 24, 2002 6:16 PM
>> To: [EMAIL PROTECTED]
>> Subject: s
win-systems
>
> > -Original Message-
> > From: Henry Lu [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, January 24, 2002 6:16 PM
> > To: [EMAIL PROTECTED]
> > Subject: security issue!
> >
> >
> > In the CATALINA_HOME/logs/catalina_log.200
>>> [EMAIL PROTECTED] 01/24/02 12:21PM >>>
> looks like good old nimda. but it does not affect your tomcat, since it
> only attacks iis on win-systems
>
> > -Original Message-
> > From: Henry Lu [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, Ja
[mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 24, 2002 6:16 PM
> To: [EMAIL PROTECTED]
> Subject: security issue!
>
>
> In the CATALINA_HOME/logs/catalina_log.2002-01-24.txt file, there
> are a lot of
> log information like the followings:
>
> 2002-01
looks like good old nimda. but it does not affect your tomcat, since it
only attacks iis on win-systems
> -Original Message-
> From: Henry Lu [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 24, 2002 6:16 PM
> To: [EMAIL PROTECTED]
> Subject: security issue!
In the CATALINA_HOME/logs/catalina_log.2002-01-24.txt file, there are a lot of
log information like the followings:
2002-01-24 09:29:48 HttpProcessor[80][3] Invalid request URI:
'/scripts/..%255c../winnt/system32/cmd.exe'
2002-01-24 09:29:48 HttpProcessor[80][3] Invalid request URI:
'/_vti_bi
I am using SSL on standalone Tomcat and Tomcat basic security (security
constraint in web.xml).
I do get the logging window. But if in Internet Explorer 5 I click on
"previous page" then "next page" the protected page is displayed.
What's wrong ?
--
Annick Fron
AFC Europe
B.P. 111, 977 avenue d
Ok, this subject is getting pretty far from Tomcat, but I'll address this.
> > I asked once on the OpenBSD list. Those guys are very much
> > traditionalists so they did not like the idea. Still, there is no
> > longer any rational reason for this restriction. I challenge
> > anyone to point o
> I asked once on the OpenBSD list. Those guys are
> very much
> traditionalists so they did not like the idea.
> Still, there is no
> longer any rational reason for this restriction. I
> challenge anyone
> to point out a good reason for it. Basically, it
I discussed this on a local LUG. It s
> Have you tried asking your question in the linux mailing lists ?
> What do those guys got to say about this restriction to bind to
> ports < 1024 in the present day server systems?
I asked once on the OpenBSD list. Those guys are very much
traditionalists so they did not like the idea. Still,
Dr. Evil:
Have you tried asking your question in the linux
mailing lists ? What do those guys got to say about
this restriction to bind to ports < 1024 in the
present day server systems?
--- "Dr. Evil" <[EMAIL PROTECTED]> wrote: > > The VM
itself is typically writen in C/C++, so I
> wouldn't b
> The past 12 years I worked constantly for companies that had one or
> more unix servers and always only a small number of users had an
> admin=20 account, all other had 'normal' user accounts.
Anyway, can someone explain to me the security benefit of restricting
bind < 1024 to uid 0? At this p
ult to configure and maintain, that it was
hard to get more security whithout affecting the
ease of use for the daily work.
> -Ursprüngliche Nachricht-
> Von: Dr. Evil [mailto:[EMAIL PROTECTED]]
> Gesendet: Freitag, 7. Dezember 2001 09:20
> An: [EMAIL PROTECTED]
> Betreff: R
> The VM itself is typically writen in C/C++, so I wouldn't beg on more=20
> safety for a VM than Apache.
That's probably true. However, the likelihood of someone being able
to send a web request to Tomcat that will result in Tomcat triggering
a buffer overflow in the VM seems ridiculously small
See below:
> -Ursprüngliche Nachricht-
> Von: Dr. Evil [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 6. Dezember 2001 20:48
> An: [EMAIL PROTECTED]
> Betreff: Re: security issue: tomcat on port 80
> However, the reason why uid 0 is so dangerous for Apache is beca
port
and placed behind the firewall. I feel much more secure running Tomcat then
IIS on Win32.
Jim
-Original Message-
From: Dr. Evil [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 06, 2001 1:48 PM
To: [EMAIL PROTECTED]
Subject: Re: security issue: tomcat on port 80
> How safe
> How safe is it to have tomcat listening on port 80
> running on a RH6.2, which is on the internet ?
> Did anybody face any security problems ever ?
>From the conventional point of view, having things run on port 80 has
been dangerous because a proc has to have uid 0 to bind to the port.
Apache
Ursprüngliche Nachricht-
> Von: Attila Szegedi [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 6. Dezember 2001 12:57
> An: Tomcat Users List
> Betreff: Re: security issue: tomcat on port 80
> Java VM actually shields you from buffer overflow attacks,
> since you cannot o
--- Attila Szegedi <[EMAIL PROTECTED]> wrote: >
Java VM actually shields you from buffer overflow
> attacks, since you cannot
> overflow an array, let alone do it so that it
> overwrites code segments. So
> in case of Tomcat (or any Java-written server),
> buffer overflow attacks are
> out of que
.
- Original Message -
From: "Chris Newland" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: 2001. december 6. 12:18
Subject: RE: security issue: tomcat on port 80
> Hi,
>
> There are security implications for running *an
system administration and do some web searches, there's
plenty of information out there.
Hope this helps,
Chris
-Original Message-
From: E B [mailto:[EMAIL PROTECTED]]
Sent: 06 December 2001 09:55
To: Tomcat Users List
Subject: security issue: tomcat on port 80
How safe is it to
How safe is it to have tomcat listening on port 80
running on a RH6.2, which is on the internet ?
Did anybody face any security problems ever ?
Nokia 5510 looks weird sounds great.
Go to http://uk.promotions.yahoo.com/nokia/ dis
Hi,
We have a client who wants to use Tomcat 3.2.2 with Netscape WebServer
3.6.3. Can you please highlight any security issues involved with this
setup? If there are security concerns how this can be addressed. Thanks.
Regards,
Murali Sethuraman
ITS - Software & Services Team
GBM, General Market
Hi,
you can define a welcome file in your webapp's web.xml. For syntax have a
look at tomcat/conf/web.xml. You can then put for example an index.html to
the dir and everything will be fine.
Sascha
yntax is correct...
>
>
> first.html
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 10, 2001 10:28 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Security Issue
>
>
> apache.
>
> use the "deny directory listin
MAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 10, 2001 10:28 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Security Issue
>
> apache.
>
> use the "deny directory listing" directive - look in the manual FFI.
>
> At 5/10/2001 3:22:42 PM, "Martin M
You can add a welcome file list to your web.xml. I think the following
syntax is correct...
first.html
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 10, 2001 10:28 AM
To: [EMAIL PROTECTED]
Subject: Re: Security Issue
apache.
use
apache.
use the "deny directory listing" directive - look in the manual FFI.
At 5/10/2001 3:22:42 PM, "Martin Mauri" <[EMAIL PROTECTED]> wrote:
# Hi users,
#
# My apologies if this's an off topic question, but, is there any way with
# Tomcat to deny users browsing the files when they point to
Hi users,
My apologies if this's an off topic question, but, is there any way with
Tomcat to deny users browsing the files when they point to some URL, say:
http://myhost:port/report/ will show users a list with the files that are
inside the report directory, and though I want them to access an s
OMEZ Henri" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, February 28, 2001 8:59 AM
Subject: RE: [Security Issue] Sessions are visible across multiple clients
> Probably partially resolved by the patch I forward previously.
> From M.
Hi Thomas! I'll try to answer from my limited knowledge (couple of months
reading the list):
"Amrhein, Thomas" wrote:
> By the way I'm a bit confused about the different
> tomcat trees (3.2/3.3/4.0).
> There are no more 3.2 nightly builds but 3.2.2beta-release...
Right now there are three branc
esendet am: Mittwoch, 28. Februar 2001 17:59
An: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Betreff: RE: [Security Issue] Sessions are visible across multiple
clients
Probably partially resolved by the patch I forward previously.
>From M. Frey
La prise de conscience de votre propre ignorance est un gran
t: Wednesday, February 28, 2001 5:59 PM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: [Security Issue] Sessions are visible across multiple clients
>
>
>Hi all,
>
>one session can be visible on multiple clients!!
>
>THIS IS A BIG SECURITY PROBLEM!
>
>Someone opens h
Hi all,
one session can be visible on multiple clients!!
THIS IS A BIG SECURITY PROBLEM!
Someone opens his webbrowser and has the session of somebody else.
So critical data could be viewed without permission.
Somebody can act as somebody else.
What's wrong with tomcat's session-handling?
I wr
Hi
My enviornment - Tomcat release build 3.1 on Windows NT and JDK1.3
I am using Java Cryptography Extension (JCE)API within my servlets.
This API uses java.security and java.policy file. As an application my program works.
But when I call in a servelt, it raises security exception as follows
j
At 06:08 PM 11/5/2000 -0800, you wrote:
>Chad Loder wrote:
>
> > Thanks Craig.
> >
> > I assumed that Tomcat installed the Java security manager by
> > default. This would be the reasonable approach as long as
> > Tomcat wasn't aiming to support pre-Java2 platforms (e.g.,
> > JDK 1.1). Is this in
Chad Loder wrote:
> Thanks Craig.
>
> I assumed that Tomcat installed the Java security manager by
> default. This would be the reasonable approach as long as
> Tomcat wasn't aiming to support pre-Java2 platforms (e.g.,
> JDK 1.1). Is this in fact the case?
>
No it isn't -- you have to specifica
Thanks Craig.
I assumed that Tomcat installed the Java security manager by
default. This would be the reasonable approach as long as
Tomcat wasn't aiming to support pre-Java2 platforms (e.g.,
JDK 1.1). Is this in fact the case?
I've looked through the documentation directory and I
did not find a
Chad Loder wrote:
> Hello. I have successfully deployed my first test servlet
> using Tomcat as a standalone container. I am concerned with
> the default filesystem permissions given to my servlet
> by Tomcat.
>
> When my servlet is deployed under:
>
> tomcat_dir/webapps/mycontext
>
> the
Hello. I have successfully deployed my first test servlet
using Tomcat as a standalone container. I am concerned with
the default filesystem permissions given to my servlet
by Tomcat.
When my servlet is deployed under:
tomcat_dir/webapps/mycontext
the servlet is allowed to create the fo
;
>Reply-To: [EMAIL PROTECTED]
>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>Subject: RE: Applet policy files (was RE:Please Help: Tomcat.policy files
>(security issue))
>Date: Fri, 20 Oct 2000 13:04:19 +0200
>
>Ann,
>
>The only thing I can sugges
ation on how java2 policy files work,
including definitions for stuff like this.
Good luck,
Simon
> -Original Message-
> From: ann patil [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, October 20, 2000 10:55 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Please Help: Tomcat.polic
78 matches
Mail list logo