Hi,
We are using Tomcat 4.0.4 in our product. We have a daemon which is a wrapper
around the tomcat.
We are facing one security issue with the Tomcat. If we send a HTTP packet with
a long string in the Host field, it closes the connection.
EX:
>>telnet <machine> <port on which tomcat is running>
GET /index.html HTTP/1.1
Host: <very long string>
------------
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Fri, 14 Oct 2005 05:16:57 GMT
Connection: close
Server: Apache Tomcat/4.0.4 (HTTP/1.1 Connector)
Connection closed by foreign host.
Though tomcat closes the connection, somewhere it is overwriiting the memory
and not cleaning up the buffer/ memory which holds this host string. Because of
this, applications which are already launched through the tomcat webserver gets
the exception and our daemon dies.
Can somebody help me in figuring out
1.Is this a know issue with the tomcat?
2.If yes, can I get a patch on top of Tomcat 4x where the above problem is
fixed?
Any pointers on this would be of great help!!!
Thanks,
Rashma
---------------------------------
How much free photo storage do you get? Store your friends n family photos for
FREE with Yahoo! Photos.
http://in.photos.yahoo.com
