tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Static resource mapping in web.xml
Date Wed, 08 Jun 2011 16:01:56 GMT
falvarez@geocom.com.uy wrote:
> I know we are going a little off the original topic, but for me this is very
> interesting.
> 
> I think I understand your point:
> 
> 	Any library in /webapp/lib/ that has access to executing linux
> commands (as you point) could be executed as well from any browser.
>

No, unless it is specifically mapped to a URL in web.xml.


> 	If invoker is not enabled, unless this class is mapped there is no
> possible harm.
> 
> Your example made clear the damage potential in using invoker.
> 
> But: unless there are JARs with this capabilities in Tomcats distribution or
> standard packages (like xstream, axis, itext, ...) this is a very improbable
> situation, right?

All of those are open-source. So anyone can examine the code to determine if there is some

function in there that can be misused.

  Because whoever writes this URL should precisely know the
> architecture of the application in order to use a non-standard library or
> servlet.
> 
Yes, but they can find out, using the same invoker servlet. They just have to try any URL

they can think of, until it works..

Have you ever looked at your Internet webserver logs, and seen lines like these ?

[Tue May 31 04:02:30 2011] [error] [client 91.121.243.113] File does not exist: 
/var/www/default/docs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: 
/var/www/default/docs/phpMyAdmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: 
/var/www/default/docs/phpmyadmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: 
/var/www/default/docs/pma
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: 
/var/www/default/docs/myadmin
[Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: 
/var/www/default/docs/MyAdmin

Now, where do you think these come from ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message