NPE exception in org.apache.catalina.connector.CoyoteAdapter.service
Hi, Dev: I met an urgent NPE exception in tomcat NIO connector, more details : https://issues.apache.org/bugzilla/show_bug.cgi?id=52009 Appreciate your help! -- viola Apache Geronimo
Re: How to reproduce tomcat security vulnerabilities
Got it. Appreciate your clarification, Christopher. I will keep post clear to understand.:) On Fri, Sep 24, 2010 at 9:56 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/22/2010 11:29 PM, viola lu wrote: thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 What is the first one and the second one? The bugs you mentioned in your first post? Remember, not everyone is thinking what you're thinking: please be clear when posting. suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* Good: this reproduces the bug. *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* ...and this shows that the bug has been fixed: no IP and port. But for the first one, both got the same response: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Maybe this is sensitive to other conditions as well. On 9/24/2010 12:57 AM, viola lu wrote: After debug into tomcat source code, i found that if transfer-encode is set as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not sure attackers how to obtain sensitive information via a crafted header? When buffers are not recycled properly, information /can/ leak across requests. This means that, under the right conditions, an attacker /might/ be able to exploit the server to disclose information. Just because a vulnerability does not have an exploit doesn't mean it's not a vulnerability: the possibility exists that information can be disclosed. It's not absolutely necessary to be able to actually steal information from a server to be considered a vulnerability. This one might not be reproducible in any predictable way. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkycrgEACgkQ9CaO5/Lv0PDJMgCfZbZmJQzqGKx8vwQ6m7IGd+HV OR4AnjjvmJ37pfrQFtii+lUaRPruYaKD =vKvJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
Re: How to reproduce tomcat security vulnerabilities
After debug into tomcat source code, i found that if transfer-encode is set as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not sure attackers how to obtain sensitive information via a crafted header? On Thu, Sep 23, 2010 at 11:29 AM, viola lu viola...@gmail.com wrote: thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* But for the first one, both got the same repsonse: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Appreciate if you can provide more help! On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/21/2010 10:13 PM, viola lu wrote: Here is my client: [snip] Note that your client can be replaced by this one-liner: $ wget -S -O - --header='Transfer-Encoding: unsupported' \ --post-data='test send post' \ http://localhost:8080/SecurityTomcat/SecurityServlet It also has the added advantages of not stripping newlines from the response, and including the response headers in the output. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT 6SgAnAihZq7v3w6icGiPeceYFjnAPN21 =LoyH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola -- viola
Re: How to reproduce tomcat security vulnerabilities
thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* But for the first one, both got the same repsonse: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Appreciate if you can provide more help! On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/21/2010 10:13 PM, viola lu wrote: Here is my client: [snip] Note that your client can be replaced by this one-liner: $ wget -S -O - --header='Transfer-Encoding: unsupported' \ --post-data='test send post' \ http://localhost:8080/SecurityTomcat/SecurityServlet It also has the added advantages of not stripping newlines from the response, and including the response headers in the output. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT 6SgAnAihZq7v3w6icGiPeceYFjnAPN21 =LoyH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
How to reproduce tomcat security vulnerabilities
Hi,
From tomcat 6.0.28 fix list:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28,
there are two security vulnerabilities fixed, but i have no idea how to
trigger these flaws in tomcat 6.0.27 and what's the failure should be after
several trial
for example the first one:*Remote Denial Of Service and Information
Disclosure Vulnerability
I created a client sending a POST request whose Transfer-encoding is
unsupported to a servlet, the servlet will return
Server returned HTTP response code: 501, is this the failure symptom?Here
is my client:
URL url = new URL(http://localhost:8080/SecurityTomcat/SecurityServlet;);
URLConnection connection = url.openConnection();
((HttpURLConnection) connection).setRequestMethod(POST);
connection.setDoOutput(true);
connection.setDoInput(true); // Only if you expect to read a
response...
connection.setUseCaches(false); // Highly recommended...
connection.setRequestProperty(Content-Type,
application/x-www-form-urlencoded);
//connection.setRequestProperty(Transfer-Encoding,
unsupported);
connection.setRequestProperty(Transfer-Encoding,
unsupported);
PrintWriter output;
output = new PrintWriter(new
OutputStreamWriter(connection.getOutputStream()));
output.write(test send post);
// output.write(request);
output.flush();
BufferedReader reader = new BufferedReader(new
InputStreamReader(connection.getInputStream()));
StringBuilder sb = new StringBuilder();
String line = reader.readLine();
while (line!=null line.length() 0) {
sb.append(line);
line = reader.readLine();
}
System.out.println(sb.toString());
output.close();
reader.close();
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (ProtocolException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
The second one,**Information disclosure in authentication headers,** in my
opinion, this is reproduced by sending an unauthorized request, and then
401 status code returns, if i can catch *WWW-Authenticate http header
content, server hostname will be printed out, am i right?
Can someone give some hints? Thanks in advance!*
*
--
viola
Re: One question about EL 2.2 :java.lang.NoSuchMethodException error when call a managedbean int method
This test application can work well on glassfish, but glassfish el
implementation is different from tomcat el implementation: jasper-el.jar,
which is under tomcat lib folder? First, i though it's myfaces problem, but
myfaces community response it's el implementation problem:
https://issues.apache.org/jira/browse/MYFACES-2916,
and from EL spec, i found out that:
The value of an IntegerLiteral ranges from Long.MIN_VALUE to
Long.MAX_VALUE, this means that EL treats all integerliteral as long?
I also read tomcat code:
protected Number getInteger() {
if (this.number == null) {
try {
this.number = new Long(this.image);
} catch (ArithmeticException e1) {
this.number = new BigInteger(this.image);
}
}
return number;
}
But glassfish can work, did you have any idea?
On Wed, Sep 15, 2010 at 1:49 PM, Pid p...@pidster.com wrote:
On 15/09/2010 04:18, viola lu wrote:
Hi, Mark:
thanks, i already opened a bug :
https://issues.apache.org/bugzilla/show_bug.cgi?id=49925.
Are you sure this is a Tomcat bug?
p
On Tue, Sep 14, 2010 at 2:49 PM, Mark Thomas ma...@apache.org wrote:
On 14/09/2010 06:00, viola lu wrote:
Is this a bug of EL implementation? Parse number as Long, not type of
ManagedBean defined?
Yep, looks like a possible bug in the code that identifies the method
you are trying to call.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
viola
Re: One question about EL 2.2 :java.lang.NoSuchMethodException error when call a managedbean int method
Hi, Mark: thanks, i already opened a bug : https://issues.apache.org/bugzilla/show_bug.cgi?id=49925. On Tue, Sep 14, 2010 at 2:49 PM, Mark Thomas ma...@apache.org wrote: On 14/09/2010 06:00, viola lu wrote: Is this a bug of EL implementation? Parse number as Long, not type of ManagedBean defined? Yep, looks like a possible bug in the code that identifies the method you are trying to call. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
One question about EL 2.2 :java.lang.NoSuchMethodException error when call a managedbean int method
1. Create a managed bean ,define an int field
package coreservlets;
import javax.faces.bean.*;
@ManagedBean
public class SpanishColorMapper extends ColorMapper {
private int age;
public SpanishColorMapper() {
super(Spanish, rojo, anaranjado, amarillo,
verde, negro, blanco);
}
public int calYear(int x) {
return age + x;
}
public int getAge() {
return age;
}
public void setAge(int x) {
age = x;
}
}
2.Direclty call calYear method in xhtml like:
td#{spanishColorMapper.calYear(5)}/td
but it's reported that :
java.lang.NoSuchMethodException:
coreservlets.SpanishColorMapper.calYear(java.lang.Long)
Caused by:
java.lang.NoSuchMethodException -
coreservlets.SpanishColorMapper.calYear(java.lang.Long)
javax.faces.FacesException: java.lang.NoSuchMethodException:
coreservlets.SpanishColorMapper.calYear(java.lang.Long)
at
org.apache.myfaces.shared_impl.context.ExceptionHandlerImpl.wrap(ExceptionHandlerImpl.java:241)
at
org.apache.myfaces.shared_impl.context.ExceptionHandlerImpl.handle(ExceptionHandlerImpl.java:156)
at
org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:258)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:191)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:243)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:201)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:163)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:108)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:556)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:401)
at
org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:281)
at
org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1568)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.NoSuchMethodException:
coreservlets.SpanishColorMapper.calYear(java.lang.Long)
at java.lang.Class.getMethod(Class.java:1605)
at javax.el.BeanELResolver.invoke(BeanELResolver.java:377)
at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:137)
at org.apache.el.parser.AstValue.getValue(AstValue.java:159)
at
org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:192)
at
org.apache.myfaces.view.facelets.el.ELText$ELTextVariable.writeText(ELText.java:213)
at
org.apache.myfaces.view.facelets.compiler.TextInstruction.write(TextInstruction.java:48)
at
org.apache.myfaces.view.facelets.compiler.UIInstructions.encodeBegin(UIInstructions.java:46)
at
org.apache.myfaces.view.facelets.compiler.UILeaf.encodeAll(UILeaf.java:214)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:614)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:614)
at
org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.renderView(FaceletViewDeclarationLanguage.java:1155)
at
org.apache.myfaces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:263)
at
org.apache.myfaces.lifecycle.RenderResponseExecutor.execute(RenderResponseExecutor.java:85)
at
org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:239)
... 16 more
Seems by default it's set as Long.
Is this a bug of EL implementation? Parse number as Long, not type of
ManagedBean defined?
--
viola
