>Hi Marc,
>I saw this problem in 3.2.1 as well - I made a fix for it in the tomcat
that ships with the Borland AppServer >but
>couldn't get anyone to comment on the fix in the main code-line
(essentially I'm not a commiter so couldn't >submit the fix)
Hi Thom,
Thanks for the info. Can someone from the Tomcat development team please
comment on this? I would have thought that this was quite a serious
security problem � am I wrong?
The way I see it, the bug could lead to anybody grabbing another user's
role while appearing to be somebody else. This is certainly possible if
you use somebody else's PC after they have. It may be even worse if you
can also do this from a different PC � essentially getting a "random"
role that somebody else already "provided" by logging in. Not to mention
plain old failure in the case where a higher "privileged" person get's a
lower privileged role allocated. It's not clear at this time whether the
principal caching is tied to IP or "per pooled connection". If the
latter, it's a bit more scary.
So once again, can someone from the Tomcat team PLEASE comment on this
problem and whether a fix is being implemented? Perhaps there is too much
work/redesign going on in 4.0 for people to consider patching 3.2.x but I
would have thought this is pretty essential, and perhaps even merits a
post to the BUGTRAQ mailing list. We already have 3 confirmed "sufferers"
� who knows how many systems that depend on tomcat have slipped through
the net and represent significant authentication breaches?
Cheers
