tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Kilbride" <>
Subject Re: Auth bug in 3.2.1?
Date Sat, 14 Apr 2001 23:01:20 GMT
Hi Thom,

Thanks for posting a solution! I was just about to start exploring

Did you post this as a patch to the Tomcat-dev list? If not, that might be
the best first step, since it looks like you've solved the problem. Who
knows how long it will take for someone on the Dev side to read through this
list and find this thread...


----- Original Message -----
From: "Rajesh A" <>
To: <>
Sent: Saturday, April 14, 2001 8:12 AM
Subject: Re: Auth bug in 3.2.1?

> I completely agree with Marc. This is a very serious problem and if I
> understand Thom's mail right, it affects ALL realms including SimpleRealm,
> JDBCRealm etc.
> I also request others using tomcat auth to revisit their applications and
> make sure users and roles are being assigned properly. Perhaps many may be
> hit by this problem but have not discovered it yet. Without a solution to
> this problem I will have to redesign security for my application and that
> will blow my project plan!
> We already seem to have a solution posted by Thom Park. Can someone from
> tomcat dev please consider it and release a patch?
> Please help.
> Rajesh
> >From: Marc Palmer <>
> >Reply-To:
> >To:
> >Subject: Re: Auth bug in 3.2.1?
> >Date: Sat, 14 Apr 2001 08:08:21 GMT
> >
> > >Hi Marc,
> > >I saw this problem in 3.2.1 as well  - I made a fix for it in the
> >that ships with the Borland AppServer >but
> > >couldn't get anyone to comment on the fix in the main code-line
> >(essentially I'm not a commiter so couldn't >submit the fix)
> >Hi Thom,
> >Thanks for the info. Can someone from the Tomcat development team please
> >comment on this? I would have thought that this was quite a serious
> >security problem - am I wrong?
> >The way I see it, the bug could lead to anybody grabbing another user's
> >role while appearing to be somebody else. This is certainly possible if
> >you use somebody else's PC after they have. It may be even worse if you
> >can also do this from a different PC - essentially getting a "random"
> >role that somebody else already "provided" by logging in. Not to mention
> >plain old failure in the case where a higher "privileged" person get's a
> >lower privileged role allocated. It's not clear at this time whether the
> >principal caching is tied to IP or "per pooled connection". If the
> >latter, it's a bit more scary.
> >So once again, can someone from the Tomcat team PLEASE comment on this
> >problem and whether a fix is being implemented? Perhaps there is too much
> >work/redesign going on in 4.0 for people to consider patching 3.2.x but I
> >would have thought this is pretty essential, and perhaps even merits a
> >post to the BUGTRAQ mailing list. We already have 3 confirmed "sufferers"
> >- who knows how many systems that depend on tomcat have slipped through
> >the net and represent significant authentication breaches?
> >
> >Cheers
> >
> >
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at

View raw message