tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Some questions about Tomcat ISAPI Connector and its documentation
Date Sat, 10 Mar 2012 23:13:41 GMT
Konstantin Preißer wrote:
...
> 
> 2. I observed that when a request is made to IIS which is mapped to Tomcat, and the request
path contains the string "WEB-INF", like
> http://www.example.com/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf
> then the ISAPI connector logs a statement like this:
> 
> [Sat Mar 10 22:34:58.030 2012] [11744:10792] [emerg] handle_notify_event::jk_isapi_plugin.c
(1997): [/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf] points to the web-inf or meta-inf
directory. Somebody tries to hack into the site!!!
> 
> If I remember correctly, in some earlier versions of the ISAPI connector (or IIS), in
such cases the TCP connection from IIS to the client would also be closed without any reply;
however, in the current version, a 404 reply is sent from the ISAPI connector.
> 
> I'm wondering why the ISAPI redirector checks if "WEB-INF" is occurring in the path,
because Tomcat seems to already check if a request is made to the WEB-INF or META-INF directory
of an web application, and if so, sends back a normal 404 response. Is this a kind of relict
from earlier times? Because I would expect that the ISAPI redirector just passes the request
to Tomcat and let Tomcat decide how requests to forbidden directories are handled, without
writing an "emergency" log entry. 
> 
That is probably what isapi_redirector does anyway (forward the request to Tomcat, and let

Tomcat send the 404 response (which may be customised)).
But perhaps the log message in the isapi_redirector log is there for the following reason

: when Tomcat is hosted on a separate host, it may be nice, on the IIS/isapi_redirector 
host, to have a log entry recording this.  Just in case the IIS-side logs are being 
watched closely, and the Tomcat logs less so.
After all, someone using a URL including WEB-INF or META-INF, is quite likely to be 
someone who /is/ trying to hack the system.

That kind of overlaps the warning in red text that is present on the connectors "how-to" 
pages, like :

However, you should be very careful when you implement the following configuration style,

because by doing so you are in fact providing a "back-door" to IIS, and allowing it to 
serve files out of a Tomcat context without Tomcat's knowledge, thus bypassing any 
security restrictions which Tomcat itself and the Tomcat context (webapp) may place on 
those files.

Does this log message bother you ? why would you want to /not/ have it ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message