Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)

2022-06-22 Thread Markus Reich 
Hi,

I'm trying to precompile a JSF application, I follow the instructions on
https://tomcat.apache.org/tomcat-9.0-doc/graal.html.

I got a lot of errors like
Caused by: java.lang.ClassCastException: class
com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class
jakarta.servlet.jsp.tagext.TagLibraryValidator
(com.sun.faces.taglib.jsf_core.CoreValidator and
jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module of
loader org.apache.tools.ant.AntClassLoader

The header in JSP is
<%@page contentType="text/html"%>
<%@page pageEncoding="UTF-8"%>

<%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%>
<%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%>

<%@taglib prefix="t" uri="/WEB-INF/eclnt"%>

regards
Meex

RE: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

2022-06-22 Thread paul.leo 
After a quick meeting with client this may be a moot point.
On this page:
https://tomcat.apache.org/tomcat-8.5-doc/windows-service-howto.html
I  saw command line references (and as I'm reviewing, it's becoming more
clear that I'm not understanding use)  for:

-User   User account used for running executable. It is used only
for StartMode java or exe and enables running applications as service under
account without LogonAsService privilege.
--Password  Password for user account set by --User parameter

It looks like this is when you install the service.
I was thinking that I would have to specify password somewhere.  I don't
think that's the case.

Sorry to be a little misinformed.



-Original Message-
From: Mark Thomas  
Sent: Wednesday, June 22, 2022 10:33 AM
To: users@tomcat.apache.org
Subject: Re: How to configure Tomcat 8.5.x to run in with a different
windows service user, and what are minimum permissions

On 22/06/2022 17:02, paul@stgconsulting.com wrote:
> Hello all,
> 
> I been tasked with researching options for running Tomcat 8.5.x as a 
> windows service, but with a different user.
> 
> I need to know what minimum rights for user would be, and also how to 
> pass user & password.  I think I see how to pass user and password.  I 
> don't see how to encrypt password though.
> 
> Other options would be appreciated as well.

Any reason running as the default (assuming a recent Tomcat version)
LocalService isn't sufficiently secure?

The minimum permissions would depend on the app but off the top of my head
that will be at least:
- file permissions as documented in the security guide
- run as service
- network access

Exactly where are you looking to encrypt the password?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

2022-06-22 Thread Mark Thomas 

On 22/06/2022 17:02, paul@stgconsulting.com wrote:

Hello all,

I been tasked with researching options for running Tomcat 8.5.x as a windows
service, but with a different user.

I need to know what minimum rights for user would be, and also how to pass
user & password.  I think I see how to pass user and password.  I don't see
how to encrypt password though.

Other options would be appreciated as well.


Any reason running as the default (assuming a recent Tomcat version) 
LocalService isn't sufficiently secure?


The minimum permissions would depend on the app but off the top of my 
head that will be at least:

- file permissions as documented in the security guide
- run as service
- network access

Exactly where are you looking to encrypt the password?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

2022-06-22 Thread paul.leo 
Hello all,

 

I been tasked with researching options for running Tomcat 8.5.x as a windows
service, but with a different user.  

I need to know what minimum rights for user would be, and also how to pass
user & password.  I think I see how to pass user and password.  I don't see
how to encrypt password though.

Other options would be appreciated as well.

 

Best,

Paul

RE: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

2022-06-22 Thread Scott,Tim 
Hi all,

As a side note, can we all try not to have a URL with something like “abc.exe” 
in?

Several firewall implementations will refuse to navigate there, even though we 
all know the intention is not to have it download. Trying to explain that to 
some people is more difficult than avoiding the problem.

If it’s just for a small number of people you know and that won’t be a problem 
for them, then fine.

We use:

cgi
/theApp.exe




theApp.exe


This hides the “theApp.exe” from the browser so such firewalls never know / 
interfere.

Thanks,
Tim

From: Mark Thomas 
Sent: 22 June 2022 10:56
To: users@tomcat.apache.org
Subject: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to 
restrict exe's from downloading

On 22/06/2022 10:37, bharath Kumar wrote:
> Hi team,
>
> Any help on this ?
>
> Further this exe(*abc.exe*) downloads when i hit on the url*
> http://server_name/abc.exe/  * and is
> happening only in *Tomcat *not with *IIS*.
>
>
> Tomcat :
> *http:///abc.exe* -- exe is not getting downloaded
> *http:///abc.exe/* -- exe is getting downloaded on
> the browser where we hit
>
>
> IIS:
>
> *http:///abc.exe/ - No issue*
> *http:///abc.exe - **No issue*
>
>
> My Intention is not to download the abc.exe ... I have a CGI
> application(abc.exe) that opens up my application
>
>
> Below is my web.xml configuration:
>
> 
> abc
> /abc.exe
> 

Change the mapping to /abc.exe/*

See section 12.2 of the Servlet specification for details.

Mark


>
>
> Can you please help how to stop downloading the CGI application(
> *http:///abc.exe/* ) from being downloading (I am trying
> to fix the CGI Vulnerability)
>
> Thanks,
> Bharath
>
> On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH)
> mailto:thomas.hoffm...@speed4trade.com.invalid>>
>  wrote:
>
>> Hello,
>>
>> maybe this stackoverflow page helps already:
>>
>> https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist
>>
>> Your snippet of the web.xml is just a configuration if an unknown servlet.
>> If the corresponding servlet is custom, you need to get in touch with the
>> developer.
>>
>> Greetings,
>> Thomas
>>

AW: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

2022-06-22 Thread Thomas Hoffmann (Speed4Trade GmbH) 
Hello,

if I place e.g. calc.exe in the root folder of a stock Tomcat, it doesn’t seem 
to work:

curl http://localhost/calc.exe -vv
--> exe is found

curl http://localhost/calc.exe/ -vv
--> I receive a 404 error

It seems your application is somehow allowing the download or your 
configuration.
Perhaps you can first try to figure out which part of your configuration / 
application is causing the download.
I would start with inspecting the web.xml and follow the path.

Greetings,
Thomas

> -Ursprüngliche Nachricht-
> Von: bharath Kumar 
> Gesendet: Mittwoch, 22. Juni 2022 11:38
> An: Tomcat Users List 
> Betreff: Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's
> from downloading
> 
> Hi team,
> 
> Any help on this ?
> 
> Further this exe(*abc.exe*) downloads when i hit on the url*
> http://server_name/abc.exe/    * and is
> happening only in *Tomcat *not with *IIS*.
> 
> 
> Tomcat :
> *http:///abc.exe*  -- exe is not getting downloaded
> *http:///abc.exe/*-- exe is getting downloaded on
> the browser where we hit
> 
> 
> IIS:
> 
> *http:///abc.exe/   - No issue*
> *http:///abc.exe- **No issue*
> 
> 
> My Intention is not to download the abc.exe ... I have a CGI
> application(abc.exe) that opens up my application
> 
> 
> Below is my web.xml configuration:
> 
> 
>   abc
>  /abc.exe
> 
> 
> 
> 
> Can you please help how to stop downloading the CGI application(
> *http:///abc.exe/* ) from being downloading (I am
> trying to fix the CGI Vulnerability)
> 
> Thanks,
> Bharath
> 
> On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH)
>  wrote:
> 
> > Hello,
> >
> > maybe this stackoverflow page helps already:
> >
> > https://stackoverflow.com/questions/9862746/restrict-allow-file-access
> > -in-tomcat-based-on-file-extension-via-whitelist
> >
> > Your snippet of the web.xml is just a configuration if an unknown servlet.
> > If the corresponding servlet is custom, you need to get in touch with
> > the developer.
> >
> > Greetings,
> > Thomas
> >
> > > -Ursprüngliche Nachricht-
> > > Von: bharath Kumar 
> > > Gesendet: Montag, 20. Juni 2022 12:43
> > > An: Tomcat Users List 
> > > Betreff: Re: Apache Tomcat 8 - Require Tomcat configuration to
> > > restrict
> > exe's
> > > from downloading
> > >
> > > Sure Olaf will update it
> > >
> > > On Mon, Jun 20, 2022 at 3:33 PM Olaf Kock  wrote:
> > >
> > > >
> > > > On 20.06.22 11:51, bharath Kumar wrote:
> > > > > Hi Team,
> > > > >
> > > > > I am using apache Tomcat 8 version,
> > > > >
> > > > > *Problem statement: *
> > > > >
> > > > > My application's accessible  URL format is
> > > > > *http:///abc/xyz.exe*
> > > >
> > > > A good way to get the question answered would be to answer the
> > > > comments on your identical Stackoverflow post
> > > >
> > > > https://stackoverflow.com/q/72658556/13447
> > > >
> > > > If someone is asking for clarification, that's typically because
> > > > they need more information and it typically doesn't help asking
> > > > elsewhere without providing that additional information. And
> > > > abandoning the original place isn't too helpful as well.
> > > >
> > > > Also: Please don't crosspost without referencing all places where
> > > > you posted - otherwise you're just generating duplicate work as
> > > > nobody knows what has already been discussed elsewhere.
> > > >
> > > > Thank you,
> > > >
> > > > Olaf
> > > >
> > > >
> > > >
> > > > --
> > > > --- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >
> > > >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2022-29885

2022-06-22 Thread Stephane Passignat 

thank you Mark

Le 2022-06-22 à 11:52, Mark Thomas a écrit :

On 22/06/2022 10:18, Stephane Passignat wrote:

Hello,

I'm trying to understand this CVE and EncryptInterceptor.

So far my understanding is EncryptInterceptor is used in clustered 
environment. Am I right ?


Reading the content of the commit and release content, that's only 
look like a documentation issue. Are there really any DDOS weakness ?


Yes, there is a DoS issue. If you use the EncryptInterceptor on an 
untrusted network then it is possible for an attacker to mount a DoS 
attack on the Tomcat instances in the network.


The documentation change was to make clear that it wasn't safe to do 
this.


If we implement message size limits for cluster messages then an 
appropriate message limit along with the EncryptInterceptor should be 
safe (but I can't be certain as we haven't implemented and tested it).


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

2022-06-22 Thread Mark Thomas 

On 22/06/2022 10:37, bharath Kumar wrote:

Hi team,

Any help on this ?

Further this exe(*abc.exe*) downloads when i hit on the url*
http://server_name/abc.exe/    * and is
happening only in *Tomcat *not with *IIS*.


Tomcat :
*http:///abc.exe*  -- exe is not getting downloaded
*http:///abc.exe/*-- exe is getting downloaded on
the browser where we hit


IIS:

*http:///abc.exe/   - No issue*
*http:///abc.exe- **No issue*


My Intention is not to download the abc.exe ... I have a CGI
application(abc.exe) that opens up my application


Below is my web.xml configuration:


   abc
  /abc.exe



Change the mapping to /abc.exe/*

See section 12.2 of the Servlet specification for details.

Mark






Can you please help how to stop downloading the CGI application(
*http:///abc.exe/* ) from being downloading (I am trying
to fix the CGI Vulnerability)

Thanks,
Bharath

On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH)
 wrote:


Hello,

maybe this stackoverflow page helps already:

https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist

Your snippet of the web.xml is just a configuration if an unknown servlet.
If the corresponding servlet is custom, you need to get in touch with the
developer.

Greetings,
Thomas


-Ursprüngliche Nachricht-
Von: bharath Kumar 
Gesendet: Montag, 20. Juni 2022 12:43
An: Tomcat Users List 
Betreff: Re: Apache Tomcat 8 - Require Tomcat configuration to restrict

exe's

from downloading

Sure Olaf will update it

On Mon, Jun 20, 2022 at 3:33 PM Olaf Kock  wrote:



On 20.06.22 11:51, bharath Kumar wrote:

Hi Team,

I am using apache Tomcat 8 version,

*Problem statement: *

My application's accessible  URL format is
*http:///abc/xyz.exe*


A good way to get the question answered would be to answer the
comments on your identical Stackoverflow post

https://stackoverflow.com/q/72658556/13447

If someone is asking for clarification, that's typically because they
need more information and it typically doesn't help asking elsewhere
without providing that additional information. And abandoning the
original place isn't too helpful as well.

Also: Please don't crosspost without referencing all places where you
posted - otherwise you're just generating duplicate work as nobody
knows what has already been discussed elsewhere.

Thank you,

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2022-29885

2022-06-22 Thread Mark Thomas 

On 22/06/2022 10:18, Stephane Passignat wrote:

Hello,

I'm trying to understand this CVE and EncryptInterceptor.

So far my understanding is EncryptInterceptor is used in clustered 
environment. Am I right ?


Reading the content of the commit and release content, that's only look 
like a documentation issue. Are there really any DDOS weakness ?


Yes, there is a DoS issue. If you use the EncryptInterceptor on an 
untrusted network then it is possible for an attacker to mount a DoS 
attack on the Tomcat instances in the network.


The documentation change was to make clear that it wasn't safe to do this.

If we implement message size limits for cluster messages then an 
appropriate message limit along with the EncryptInterceptor should be 
safe (but I can't be certain as we haven't implemented and tested it).


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

2022-06-22 Thread bharath Kumar 
Hi team,

Any help on this ?

Further this exe(*abc.exe*) downloads when i hit on the url*
http://server_name/abc.exe/    * and is
happening only in *Tomcat *not with *IIS*.


Tomcat :
*http:///abc.exe*  -- exe is not getting downloaded
*http:///abc.exe/*-- exe is getting downloaded on
the browser where we hit


IIS:

*http:///abc.exe/   - No issue*
*http:///abc.exe- **No issue*


My Intention is not to download the abc.exe ... I have a CGI
application(abc.exe) that opens up my application


Below is my web.xml configuration:


  abc
 /abc.exe




Can you please help how to stop downloading the CGI application(
*http:///abc.exe/* ) from being downloading (I am trying
to fix the CGI Vulnerability)

Thanks,
Bharath

On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH)
 wrote:

> Hello,
>
> maybe this stackoverflow page helps already:
>
> https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist
>
> Your snippet of the web.xml is just a configuration if an unknown servlet.
> If the corresponding servlet is custom, you need to get in touch with the
> developer.
>
> Greetings,
> Thomas
>
> > -Ursprüngliche Nachricht-
> > Von: bharath Kumar 
> > Gesendet: Montag, 20. Juni 2022 12:43
> > An: Tomcat Users List 
> > Betreff: Re: Apache Tomcat 8 - Require Tomcat configuration to restrict
> exe's
> > from downloading
> >
> > Sure Olaf will update it
> >
> > On Mon, Jun 20, 2022 at 3:33 PM Olaf Kock  wrote:
> >
> > >
> > > On 20.06.22 11:51, bharath Kumar wrote:
> > > > Hi Team,
> > > >
> > > > I am using apache Tomcat 8 version,
> > > >
> > > > *Problem statement: *
> > > >
> > > > My application's accessible  URL format is
> > > > *http:///abc/xyz.exe*
> > >
> > > A good way to get the question answered would be to answer the
> > > comments on your identical Stackoverflow post
> > >
> > > https://stackoverflow.com/q/72658556/13447
> > >
> > > If someone is asking for clarification, that's typically because they
> > > need more information and it typically doesn't help asking elsewhere
> > > without providing that additional information. And abandoning the
> > > original place isn't too helpful as well.
> > >
> > > Also: Please don't crosspost without referencing all places where you
> > > posted - otherwise you're just generating duplicate work as nobody
> > > knows what has already been discussed elsewhere.
> > >
> > > Thank you,
> > >
> > > Olaf
> > >
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

CVE-2022-29885

2022-06-22 Thread Stephane Passignat 

Hello,

I'm trying to understand this CVE and EncryptInterceptor.

So far my understanding is EncryptInterceptor is used in clustered 
environment. Am I right ?


Reading the content of the commit and release content, that's only look 
like a documentation issue. Are there really any DDOS weakness ?


thanks,
Stephane


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Are Apache versions cumulative ?

2022-06-22 Thread Mark Thomas 

On 22/06/2022 09:20, Jason Tan wrote:

Hi there,
Sorry to trouble you folks but I could not find on Google any proof/info that 
state Apache Tomcat fixes are cumulative.
I have a customer asking me if fixes listed in 
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.109 
cumulative ? E.g. Cumulative as meaning fixes in Tomcat 7.0.100 are also 
present in Tomcat 7.0.109.
My guts tell me it's cumulative but I need some sort of proof for my customer.


Yes.

Within a major version we don't patch older releases, we only produce 
new releases. Tomcat major.minor.x contains all the fixes in 
major.minor.(x-1)


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Are Apache versions cumulative ?

2022-06-22 Thread Jason Tan 
Hi there,
Sorry to trouble you folks but I could not find on Google any proof/info that 
state Apache Tomcat fixes are cumulative.
I have a customer asking me if fixes listed in 
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.109 
cumulative ? E.g. Cumulative as meaning fixes in Tomcat 7.0.100 are also 
present in Tomcat 7.0.109.
My guts tell me it's cumulative but I need some sort of proof for my customer.

Best Regards,
Jason Tan