tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability
Date Thu, 15 May 2008 16:06:27 GMT
Hash: SHA1


Peter Crowther wrote:
|> From: Christopher Schultz []
|> <tents fingers>The internal IP address of the server is ...
|>! Nobody would have ever guessed that!
|> Excellent! Now I can
|> take over the world! Muahahaha!</tents fingers>
| *Chuckle*  Chris, all you need now is the white cat and the secret
base in the garden shed.
| You might not be able to take over the world, but you might be able
| to take over the server more easily if you can crack something else
| on the same internal network.

Absolutely, especially if there is either no firewall or one configured
poorly or a foolish TCP/IP stack, you could forge an internal IP address
as the source for a request that originates externally. If special
services (like SHUTDOWN) are accepted without authentication from local
addresses, you've got yourself a problem.

| The OP's correct that it's an information disclosure vulnerability,
| though I'm not sure whether it's present in Tomcat's error pages.
| Certainly if you're going through the checklist of "generic" vuls so
| that you can demonstrate your installation is hardened against those
| attacks, it's fair to ask whether Tomcat's susceptible.

I just couldn't resist.

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message