1.3.0_01 returns true for isFile on my Win-NT box. I've attached the program I've been running (so as to avoid having to load all of Tomcat. ----- Original Message ----- From: "Larry Isaacs" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Tuesday, January 08, 2002 4:01 PM Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
I find that isFile() returns false, at least for JDK 1.3.1 and JDK1.2.2.
I tried JDK1.1.8, but Tomcat 3.3.x wouldn't come up. I get:
java.lang.ClassNotFoundException: org.apache.tomcat.startup.EmbededTomcat
at org.apache.tomcat.util.compat.SimpleClassLoader.loadClass
My preference would be to build a solution on isFile() if it can be worked
out.
I still need to investigate where the test might best be applied.
Larry
-----Original Message-----
From: Bill Barker [mailto:[EMAIL PROTECTED]]
Sent: Tue 1/8/2002 3:39 PM
To: Tomcat Developers List
Cc:
Subject: Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
This may be too kludgy, but my quick test shows that "aux.ver"
returns -11644473600000 for lastModified.
Less kludgy would be to simply add a complete list of DOS devices to the
"keywords" that are mangled.
----- Original Message -----
From: "Larry Isaacs" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >
To: "'Tomcat Developers List'" <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
Sent: Tuesday, January 08, 2002 12:06 PM
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
This also causes Tomcat 3.3 to hang a thread when it
tries to read aux.ver. Tomcat 3.2.4 doesn't appear
to have a problem and reports a "not found" error.
A quick test of Tomcat 4.0.1 returned a blank page
without hanging.
I'll investigate and prepare, if possible, a quick
patch to Tomat 3.3 and make a proposal for a
Tomcat 3.3.1 beta and release.
Thanks for relaying this.
Cheers,
Larry
> -----Original Message-----
> From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 08, 2002 2:36 PM
> To: tomcat-dev
> Subject: FW: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
>
>
> I'm curious how Tomcat deals with this issue.
>
> Oh yea. Yet another reason why JSP sucks. :-)
>
> -jon
>
> ------ Forwarded Message
> From: Peter Gründl <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >
> Date: Tue, 8 Jan 2002 16:33:26 +0100
> To: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >
> Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
>
> --------------------------------------------------------------------
>
> -=>Bea Weblogic DOS-device Denial of Service<=-
> courtesy of KMPG Denmark
>
> BUG-ID: 2002003 Released: 8th Jan 2002
> --------------------------------------------------------------------
> Problem:
> ========
> A flaw in the way the Bea Weblogic server handles specific requests
> containing DOS-devices can cause a Denial of Service situation,
> where web requests are no longer being serviced.
>
> Vulnerable:
> ===========
> - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000
> - Older releases and other pure java application servers could be
> vulnerable, but haven't been tested.
>
> Details:
> ========
> When the Weblogic server receives a .jsp request, it invokes an
> external compiler to deal with the .jsp ressource requested. The
> server can be fooled into thinking you are requesting a valid .jsp
> ressource by simply requesting a DOS-device (such as eg. aux) and
> appending the .jsp extension to it (aux.jsp). The external compiler
> is then invoked and due to the nature of the DOS-devices, this
> working thread never finishes.
>
> The server can handle about a 10-11 working threads, so when this
> number of active threads has been reached, the server will no
> longer service any requests. Since both HTTP and HTTPS are handled
> by the same module, both are crippled if one is attacked.
>
> Vendor URL:
> ===========
> You can visit the vendors webpage here: http://www.beasys.com
<http://www.beasys.com>
>
> Vendor response:
> ================
> The vendor was contacted on the 6th of November, 2001. On the 15th
> of November the vendor confirms that they have reproduced the issue
> on Windows 2000 and Windows NT. The issue is assigned the bug id:
> CR062542 by the vendor. On the 3rd of January, 2002 the vendor
> confirmed the release of the new service pack and that it included
> the patch for this issue.
>
> Corrective action:
> ==================
> Upgrade to Service Pack 2, which can be downloaded here:
> http://commerce.beasys.com <http://commerce.beasys.com>
>
>
> Author: Peter Gründl ([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> )
>
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------
>
> ------ End of Forwarded Message
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
----------------------------------------------------------------------------
----
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
TestSpecialFile.java
Description: Binary data
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
