tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <falva...@geocom.com.uy>
Subject RE: Static resource mapping in web.xml
Date Wed, 08 Jun 2011 16:48:05 GMT
Thanks a lot André for taking the time in explaining.

Currently we do not have this kind of attacks because the app runs in an
intranet. But I know that in this closed scenario we should beware of the
users.
 
Hopefully, someday, we will be able to properly map this application in
web.xml and leave this problems behind (and get new ones ;)).

Thanks again.

Best regards,
    Federico.

-----Mensaje original-----
De: André Warnier [mailto:aw@ice-sa.com] 
Enviado el: miércoles, 08 de junio de 2011 13:02
Para: Tomcat Users List
Asunto: Re: Static resource mapping in web.xml

falvarez@geocom.com.uy wrote:
> I know we are going a little off the original topic, but for me this is
very
> interesting.
> 
> I think I understand your point:
> 
> 	Any library in /webapp/lib/ that has access to executing linux
> commands (as you point) could be executed as well from any browser.
>

No, unless it is specifically mapped to a URL in web.xml.


> 	If invoker is not enabled, unless this class is mapped there is no
> possible harm.
> 
> Your example made clear the damage potential in using invoker.
> 
> But: unless there are JARs with this capabilities in Tomcats distribution
or
> standard packages (like xstream, axis, itext, ...) this is a very
improbable
> situation, right?

All of those are open-source. So anyone can examine the code to determine if
there is some 
function in there that can be misused.

  Because whoever writes this URL should precisely know the
> architecture of the application in order to use a non-standard library or
> servlet.
> 
Yes, but they can find out, using the same invoker servlet. They just have
to try any URL 
they can think of, until it works..

Have you ever looked at your Internet webserver logs, and seen lines like
these ?

[Tue May 31 04:02:30 2011] [error] [client 91.121.243.113] File does not
exist: 
/var/www/default/docs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist: 
/var/www/default/docs/phpMyAdmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist: 
/var/www/default/docs/phpmyadmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist: 
/var/www/default/docs/pma
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist: 
/var/www/default/docs/myadmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not
exist: 
/var/www/default/docs/MyAdmin

Now, where do you think these come from ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message