tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r834289 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Date Tue, 10 Nov 2009 09:44:25 GMT
On 10.11.2009 05:36, Costin Manolache wrote:
> The request will not be executed - how can he continue the attack ?

I don't get that as well. As far as I understand the attack, there is no
information disclosure. The only thing an attacker can do is mixing his
request with a user supplied one, thereby leveraging user credentials to
execute his own request. Neither can he see the user request, not the
response.

The user client will do a renegaotiation and only provide his request
inside the newly negotiated encryption, which is not transparent for the
MITM. the server buffers the partial attacker request send directly
before initiating the renegotiation and if it is an incomplete request,
it will buffered at the server, combined with what the user is sending
after renegotiation and executed in the security context of the user.

Regards,

Rainer



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message