Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C734C433F for ; Wed, 8 Jun 2011 16:02:55 +0000 (UTC) Received: (qmail 62297 invoked by uid 500); 8 Jun 2011 16:02:51 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 62154 invoked by uid 500); 8 Jun 2011 16:02:51 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 62145 invoked by uid 99); 8 Jun 2011 16:02:51 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jun 2011 16:02:51 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jun 2011 16:02:43 +0000 Received: from [192.168.245.129] (p549E8EE6.dip0.t-ipconnect.de [84.158.142.230]) by tor.combios.es (Postfix) with ESMTPA id F0F8B22608E for ; Wed, 8 Jun 2011 18:02:21 +0200 (CEST) Message-ID: <4DEF9CF4.1010002@ice-sa.com> Date: Wed, 08 Jun 2011 18:01:56 +0200 From: =?ISO-8859-1?Q?Andr=E9_Warnier?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Static resource mapping in web.xml References: <00e001cc25e6$bd643ab0$382cb010$@com.uy> <4DEF88AE.1070300@apache.org> <00eb01cc25ed$cc7a0f50$656e2df0$@com.uy> <4DEF935F.6080904@ice-sa.com> <010e01cc25f2$ef9a4540$cececfc0$@com.uy> In-Reply-To: <010e01cc25f2$ef9a4540$cececfc0$@com.uy> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org falvarez@geocom.com.uy wrote: > I know we are going a little off the original topic, but for me this is very > interesting. > > I think I understand your point: > > Any library in /webapp/lib/ that has access to executing linux > commands (as you point) could be executed as well from any browser. > No, unless it is specifically mapped to a URL in web.xml. > If invoker is not enabled, unless this class is mapped there is no > possible harm. > > Your example made clear the damage potential in using invoker. > > But: unless there are JARs with this capabilities in Tomcats distribution or > standard packages (like xstream, axis, itext, ...) this is a very improbable > situation, right? All of those are open-source. So anyone can examine the code to determine if there is some function in there that can be misused. Because whoever writes this URL should precisely know the > architecture of the application in order to use a non-standard library or > servlet. > Yes, but they can find out, using the same invoker servlet. They just have to try any URL they can think of, until it works.. Have you ever looked at your Internet webserver logs, and seen lines like these ? [Tue May 31 04:02:30 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/w00tw00t.at.blackhats.romanian.anti-sec:) [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/phpMyAdmin [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/phpmyadmin [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/pma [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/myadmin [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/MyAdmin Now, where do you think these come from ? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org