I cannot replicate with httpd 2.2.3 (RHEL 5 version). 2.0.46 is the "supported" RHEL 3 version (2.0.46.71 full RH version). I know that's not really an excuse :). But we're hesitant to move off the supported versions.
Our RHEL 3 machines will be updated in the next few months to RHEL 5, so maybe that will solve the problem, at least for us if the problem is indeed a weird interaction with the old apache version with a new module. I just thought it was kind of weird that mod_jk 1.2.27 would load properly and yet exhibit this odd problem. And yes, we do use the JkMount PATTERN WORKER syntax. Thanks, George Payne -----Original Message----- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, December 17, 2008 5:52 PM To: Tomcat Users List Subject: Re: Serious security problem with mod_jk? On 16.12.2008 18:53, Payne, George (ghp5h) wrote: > This is a problem I've seen reported on very old versions of mod_jk, but it > seems (apparently) to have a new life in 1.2.27 and possibly other recent > versions. > > If a user puts a double slash (http://mysite.com//myapp/myjsp.jsp) instead > of a single slash in a url, apache does not recognize it as part of a normal > pattern (eg JkMount /myapp/*.jsp) to be forwarded to tomcat and displays it > as html/text instead of as a jsp, revealing the source. > > My system: > > Httpd: Apache 2.0.46 > > Jk: 1.2.27 (from binary posted on > http://apache.mirrors.timporter.net/tomcat/tomcat-connectors/jk/binaries/lin > ux/jk-1.2.27/i386/mod_jk-1.2.27-httpd-2.0.61.so) > > Tomcat: 5.5.27 > > I'd be happy to hear someone say I misconfigured something, but I'm not sure > what I could misconfigure to make this happen. > > I've worked around by doing things like > > JkMount /*.jsp ajp13 > > JkMount /*.do ajp13 > > Etc, but this is not a good solution. First of all I can not reproduce this. I used mod_jk 1.2.27, but httpd 2.2. The URL we check against JkMount should already be normalized by httpd at the time we use it. Please: - Check again with a recent httpd, either 2.0.63 or 2.2.10/2.2.11. 2.0.46 was released more than 5 years ago. - If you can reproduce with a relative recent httpd 2.0 or 2.2, please post your configuration (httpd and mod_jk) and also do one of the problematic requests when running JK with JkLogLevel debug and post the resulting JkLogFile. I assume you used the "JkMount PATTERN WORKER" Syntax and not the short syntax "JkMount WORKER" inside a Directory(Match) or Location(Match) element? Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
