On 29/08/2023 21:51, Bhavesh Mistry wrote:
Hi Mark,
curl - -k "https://www.mydomain.com/login; -H 'Host:
attackerHostHeaderInjection.com'
*Why? What problem are you trying to solve?*
Host Header injection is a vulnerability that needs to be addressed., I am
trying to solve if the host
Hi Mark,
> curl - -k "https://www.mydomain.com/login; -H 'Host:
> attackerHostHeaderInjection.com'
*Why? What problem are you trying to solve?*
Host Header injection is a vulnerability that needs to be addressed., I am
trying to solve if the host is a mismatch between the HOST ( or
On 29/08/2023 21:28, Loeschmann, Lori wrote:
Hello,
We have a Tomcat application which authenticates via CAS. The application and
CAS reside on different servers.
We also have an internal audit process that flags files on these servers when
they change. It's a retroactive review of
Hello,
We have a Tomcat application which authenticates via CAS. The application and
CAS reside on different servers.
We also have an internal audit process that flags files on these servers when
they change. It's a retroactive review of authorized changes.
When the SSL certificate was
On 29/08/2023 08:00, Bhavesh Mistry wrote:
Hi Mark,
I am sorry for delayed response.
Basically, when request url does not match host header then I would reject
it. For example,
curl - -k "https://www.mydomain.com/login; -H 'Host:
attackerHostHeaderInjection.com'
Why? What problem are
On 28/08/2023 18:44, Amit Pande wrote:
Oh, sure. So, what would be the best way to get some conclusion on this thread?
Provide a patch for review based on the feedback provided here and in
the BZ issue.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 The state of the ticket
isn't
On 29/08/2023 20:53, David Cleary wrote:
2023-08-29T15:31:57.840-04:00 WARN [main] o.a.t.u.n.j.JSSEUtil - Some of the
specified [ciphers] are not supported by the SSL engine and have been skipped:
[Dozens of OpenSSL ciphers]
We use OpenSSL and moving to Tomcat 10.1.13 has caused an overload
2023-08-29T15:31:57.840-04:00 WARN [main] o.a.t.u.n.j.JSSEUtil - Some of the
specified [ciphers] are not supported by the SSL engine and have been skipped:
[Dozens of OpenSSL ciphers]
We use OpenSSL and moving to Tomcat 10.1.13 has caused an overload of useless
information to appear when
Hi all,
Thanks for your responses. I think I've found the problem.
My wrapping class which detects the invocation of the close() method to
decrement its count is no longer decrementing its count because
method.getDeclaringClass() has changed from java.sql.Connection to
Hi Mark,
I am sorry for delayed response.
Basically, when request url does not match host header then I would reject
it. For example,
curl - -k "https://www.mydomain.com/login; -H 'Host:
attackerHostHeaderInjection.com'
Based curl -vvv output, tomcat server does not know host name used
10 matches
Mail list logo