tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Isaacs <Larry.Isa...@sas.com>
Subject RE: Security bug in isapi_redirect.dll and Tomcat 3.2.3 ?
Date Tue, 16 Oct 2001 19:33:04 GMT
It is a risk when you give the web server direct access
to the web application resources.  If the connector is
tricked or somehow fails to accept the request, the
web server can easily serve up the resource statically.

A number of steps have been taken to avoid this.  In fact,
with IIS 4.0, Tomcat 3.2.3, and 3.2.3's isapi_redirect.dll
I am not able to duplicate this problem.  The iis_redirect.log
shows that for a URL like
http://localhost//somecontext/jsp/somepage.jsp, the request
is being forwarded to Tomcat 3.2.3.  I'm not sure why
your IIS is serving the page directly.  I would recommend
setting the log level to debug and checking the
iis_redirect.log file to see why isapi_redirect.dll isn't
accepting the request.  

Larry

> -----Original Message-----
> From: St├ęphane BAUDET [mailto:sbaudet@gltrade.fr]
> Sent: Tuesday, October 16, 2001 11:51 AM
> To: tomcat-user@jakarta.apache.org
> Subject: Security bug in isapi_redirect.dll and Tomcat 3.2.3 ?
> 
> 
> Hello,
> 
> I'm running IIS 5.0 with Tomcat 3.2.3
> I've set up my uriworkermap.properties with these informations
> 
> /mycontext/servlet/*=$(default.worker)
> /mycontext/*.jsp=$(default.worker)
> 
> so only the servlet and the .jsp are served by Tomcat.
> 
> Under /mycontext directory I've got the following directories 
> structure,
> (which is standard):
> 
> /mycontext/images: contains the images of my web server
> /mycontext/jsp: my jsp
> /mycontext/WEB-INF : where my classes and jar files are.
> 
> In test, I'm running only Tomcat, and that works fine.
> In production I'm running IIS + Tomcat to optimize the static part.
> So I've decided to create a virtual directory which point to:
> 
> /mycontext with read only permission.
> 
> The optimisation works fine, and my images are served 10 time faster.
> But I've noticed this strange behaviour:
> 
> If I type http://localhost/mycontext/jsp/index.jsp
> I've got my JSP page
> 
> but if I type:
> http://localhost//mycontext/jsp/index.jsp, the source code of 
> my jsp is
> displayed in my browser !!!!
> 
> As a workaround, I've disabled in IIS the read permission of 
> /mycontext/jsp
> 
> I would like to know if this is a security issue in the 
> isapi_redirect.dll
> or if it's the proper behaviour.
> 
> Would you be kind enough to reply to sbaudet@gltrade.fr , as 
> I'm currently
> of the list.
> 
> Thanks,
> 
> St├ęphane
> 

Mime
View raw message