NPE exception in org.apache.catalina.connector.CoyoteAdapter.service
Hi, Dev: I met an urgent NPE exception in tomcat NIO connector, more details : https://issues.apache.org/bugzilla/show_bug.cgi?id=52009 Appreciate your help! -- viola Apache Geronimo
Re: How to reproduce tomcat security vulnerabilities
Got it. Appreciate your clarification, Christopher. I will keep post clear to understand.:) On Fri, Sep 24, 2010 at 9:56 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/22/2010 11:29 PM, viola lu wrote: thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 What is the first one and the second one? The bugs you mentioned in your first post? Remember, not everyone is thinking what you're thinking: please be clear when posting. suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* Good: this reproduces the bug. *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* ...and this shows that the bug has been fixed: no IP and port. But for the first one, both got the same response: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Maybe this is sensitive to other conditions as well. On 9/24/2010 12:57 AM, viola lu wrote: After debug into tomcat source code, i found that if transfer-encode is set as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not sure attackers how to obtain sensitive information via a crafted header? When buffers are not recycled properly, information /can/ leak across requests. This means that, under the right conditions, an attacker /might/ be able to exploit the server to disclose information. Just because a vulnerability does not have an exploit doesn't mean it's not a vulnerability: the possibility exists that information can be disclosed. It's not absolutely necessary to be able to actually steal information from a server to be considered a vulnerability. This one might not be reproducible in any predictable way. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkycrgEACgkQ9CaO5/Lv0PDJMgCfZbZmJQzqGKx8vwQ6m7IGd+HV OR4AnjjvmJ37pfrQFtii+lUaRPruYaKD =vKvJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
Re: How to reproduce tomcat security vulnerabilities
After debug into tomcat source code, i found that if transfer-encode is set as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not sure attackers how to obtain sensitive information via a crafted header? On Thu, Sep 23, 2010 at 11:29 AM, viola lu viola...@gmail.com wrote: thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* But for the first one, both got the same repsonse: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Appreciate if you can provide more help! On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/21/2010 10:13 PM, viola lu wrote: Here is my client: [snip] Note that your client can be replaced by this one-liner: $ wget -S -O - --header='Transfer-Encoding: unsupported' \ --post-data='test send post' \ http://localhost:8080/SecurityTomcat/SecurityServlet It also has the added advantages of not stripping newlines from the response, and including the response headers in the output. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT 6SgAnAihZq7v3w6icGiPeceYFjnAPN21 =LoyH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola -- viola
Re: How to reproduce tomcat security vulnerabilities
thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* But for the first one, both got the same repsonse: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Appreciate if you can provide more help! On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/21/2010 10:13 PM, viola lu wrote: Here is my client: [snip] Note that your client can be replaced by this one-liner: $ wget -S -O - --header='Transfer-Encoding: unsupported' \ --post-data='test send post' \ http://localhost:8080/SecurityTomcat/SecurityServlet It also has the added advantages of not stripping newlines from the response, and including the response headers in the output. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT 6SgAnAihZq7v3w6icGiPeceYFjnAPN21 =LoyH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
How to reproduce tomcat security vulnerabilities
Hi, From tomcat 6.0.28 fix list: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28, there are two security vulnerabilities fixed, but i have no idea how to trigger these flaws in tomcat 6.0.27 and what's the failure should be after several trial for example the first one:*Remote Denial Of Service and Information Disclosure Vulnerability I created a client sending a POST request whose Transfer-encoding is unsupported to a servlet, the servlet will return Server returned HTTP response code: 501, is this the failure symptom?Here is my client: URL url = new URL(http://localhost:8080/SecurityTomcat/SecurityServlet;); URLConnection connection = url.openConnection(); ((HttpURLConnection) connection).setRequestMethod(POST); connection.setDoOutput(true); connection.setDoInput(true); // Only if you expect to read a response... connection.setUseCaches(false); // Highly recommended... connection.setRequestProperty(Content-Type, application/x-www-form-urlencoded); //connection.setRequestProperty(Transfer-Encoding, unsupported); connection.setRequestProperty(Transfer-Encoding, unsupported); PrintWriter output; output = new PrintWriter(new OutputStreamWriter(connection.getOutputStream())); output.write(test send post); // output.write(request); output.flush(); BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream())); StringBuilder sb = new StringBuilder(); String line = reader.readLine(); while (line!=null line.length() 0) { sb.append(line); line = reader.readLine(); } System.out.println(sb.toString()); output.close(); reader.close(); } catch (UnsupportedEncodingException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (ProtocolException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } The second one,**Information disclosure in authentication headers,** in my opinion, this is reproduced by sending an unauthorized request, and then 401 status code returns, if i can catch *WWW-Authenticate http header content, server hostname will be printed out, am i right? Can someone give some hints? Thanks in advance!* * -- viola
Re: One question about EL 2.2 :java.lang.NoSuchMethodException error when call a managedbean int method
This test application can work well on glassfish, but glassfish el implementation is different from tomcat el implementation: jasper-el.jar, which is under tomcat lib folder? First, i though it's myfaces problem, but myfaces community response it's el implementation problem: https://issues.apache.org/jira/browse/MYFACES-2916, and from EL spec, i found out that: The value of an IntegerLiteral ranges from Long.MIN_VALUE to Long.MAX_VALUE, this means that EL treats all integerliteral as long? I also read tomcat code: protected Number getInteger() { if (this.number == null) { try { this.number = new Long(this.image); } catch (ArithmeticException e1) { this.number = new BigInteger(this.image); } } return number; } But glassfish can work, did you have any idea? On Wed, Sep 15, 2010 at 1:49 PM, Pid p...@pidster.com wrote: On 15/09/2010 04:18, viola lu wrote: Hi, Mark: thanks, i already opened a bug : https://issues.apache.org/bugzilla/show_bug.cgi?id=49925. Are you sure this is a Tomcat bug? p On Tue, Sep 14, 2010 at 2:49 PM, Mark Thomas ma...@apache.org wrote: On 14/09/2010 06:00, viola lu wrote: Is this a bug of EL implementation? Parse number as Long, not type of ManagedBean defined? Yep, looks like a possible bug in the code that identifies the method you are trying to call. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
Re: One question about EL 2.2 :java.lang.NoSuchMethodException error when call a managedbean int method
Hi, Mark: thanks, i already opened a bug : https://issues.apache.org/bugzilla/show_bug.cgi?id=49925. On Tue, Sep 14, 2010 at 2:49 PM, Mark Thomas ma...@apache.org wrote: On 14/09/2010 06:00, viola lu wrote: Is this a bug of EL implementation? Parse number as Long, not type of ManagedBean defined? Yep, looks like a possible bug in the code that identifies the method you are trying to call. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
One question about EL 2.2 :java.lang.NoSuchMethodException error when call a managedbean int method
1. Create a managed bean ,define an int field package coreservlets; import javax.faces.bean.*; @ManagedBean public class SpanishColorMapper extends ColorMapper { private int age; public SpanishColorMapper() { super(Spanish, rojo, anaranjado, amarillo, verde, negro, blanco); } public int calYear(int x) { return age + x; } public int getAge() { return age; } public void setAge(int x) { age = x; } } 2.Direclty call calYear method in xhtml like: td#{spanishColorMapper.calYear(5)}/td but it's reported that : java.lang.NoSuchMethodException: coreservlets.SpanishColorMapper.calYear(java.lang.Long) Caused by: java.lang.NoSuchMethodException - coreservlets.SpanishColorMapper.calYear(java.lang.Long) javax.faces.FacesException: java.lang.NoSuchMethodException: coreservlets.SpanishColorMapper.calYear(java.lang.Long) at org.apache.myfaces.shared_impl.context.ExceptionHandlerImpl.wrap(ExceptionHandlerImpl.java:241) at org.apache.myfaces.shared_impl.context.ExceptionHandlerImpl.handle(ExceptionHandlerImpl.java:156) at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:258) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:191) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:243) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:201) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:163) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:108) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:556) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:401) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:281) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1568) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:619) Caused by: java.lang.NoSuchMethodException: coreservlets.SpanishColorMapper.calYear(java.lang.Long) at java.lang.Class.getMethod(Class.java:1605) at javax.el.BeanELResolver.invoke(BeanELResolver.java:377) at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:137) at org.apache.el.parser.AstValue.getValue(AstValue.java:159) at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:192) at org.apache.myfaces.view.facelets.el.ELText$ELTextVariable.writeText(ELText.java:213) at org.apache.myfaces.view.facelets.compiler.TextInstruction.write(TextInstruction.java:48) at org.apache.myfaces.view.facelets.compiler.UIInstructions.encodeBegin(UIInstructions.java:46) at org.apache.myfaces.view.facelets.compiler.UILeaf.encodeAll(UILeaf.java:214) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:614) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:614) at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.renderView(FaceletViewDeclarationLanguage.java:1155) at org.apache.myfaces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:263) at org.apache.myfaces.lifecycle.RenderResponseExecutor.execute(RenderResponseExecutor.java:85) at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:239) ... 16 more Seems by default it's set as Long. Is this a bug of EL implementation? Parse number as Long, not type of ManagedBean defined? -- viola