tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Tomcat 4.x security issue in protected environment
Date Sun, 17 Jul 2005 21:22:23 GMT
The short answers are:
1. No
2. No

The longer answer is:
This is categorically *not* a security issue with Tomcat. I have tested
this and Tomcat continues to operate correctly after a request with a
"very long" host header. This looks to me like an issue with your daemon.

And a few tips for future postings:
The phrase "very long" is totally useless. How long is a (very long)
piece of string? You need to be specific when discussing potential bugs
on tomcat-user if people are going to stand a chance of reproducing what
you are seeing.

Don't speculate wildly on the root cause of an issue. If you know know
something, don't say anything or better yet say you don't know.
Inaccurate speculation presented as fact undermines your credibility and
significantly reduces your chances are receiving a response.

Finally, a public mailing list is not the right place to raise potential
security issues.

Mark

Rashma N wrote:
> Hi,
>  
> We are using Tomcat 4.0.4 in our product. We have a daemon which is a wrapper around
the tomcat.
>  
> We are facing one security issue with the Tomcat. If we send a HTTP packet with a long
string in the Host field, it closes the connection.
> EX: 
> 
>>>telnet <machine> <port on which tomcat is running>
> 
> GET /index.html HTTP/1.1
> Host: <very long string>
> ------------
> HTTP/1.1 400 Bad Request
> Content-Type: text/html
> Date: Fri, 14 Oct 2005 05:16:57 GMT
> Connection: close
> Server: Apache Tomcat/4.0.4 (HTTP/1.1 Connector)
> Connection closed by foreign host.
> 
> Though tomcat closes the connection, somewhere it is overwriiting the memory and not
cleaning up the buffer/ memory which holds this host string. Because of this, applications
which are already launched through the tomcat webserver gets the exception and our daemon
dies.
>  
> Can somebody help me in figuring out 
> 1.Is this a know issue with the tomcat?
> 2.If yes, can I get a patch on top of Tomcat 4x where the above problem is fixed?
>  
> Any pointers on this would be of great help!!!
>  
> Thanks,
> Rashma
> 
> 
> 		
> ---------------------------------
> How much free photo storage do you get? Store your friends n family photos for FREE with
Yahoo! Photos. 
>  http://in.photos.yahoo.com




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message