Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates
 212.85.38.228 as permitted sender)
Message-ID: <4F5BE025.2000309@ice-sa.com>
Date: Sun, 11 Mar 2012 00:13:41 +0100
From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= <aw@ice-sa.com>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Some questions about Tomcat ISAPI Connector and its documentation
References: <000301ccff07$eeadc000$cc094000$@preisser@t-online.de>
In-Reply-To: <000301ccff07$eeadc000$cc094000$@preisser@t-online.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Konstantin Preißer wrote:
...
> 
> 2. I observed that when a request is made to IIS which is mapped to Tomcat, and the request path contains the string "WEB-INF", like
> http://www.example.com/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf
> then the ISAPI connector logs a statement like this:
> 
> [Sat Mar 10 22:34:58.030 2012] [11744:10792] [emerg] handle_notify_event::jk_isapi_plugin.c (1997): [/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf] points to the web-inf or meta-inf directory. Somebody tries to hack into the site!!!
> 
> If I remember correctly, in some earlier versions of the ISAPI connector (or IIS), in such cases the TCP connection from IIS to the client would also be closed without any reply; however, in the current version, a 404 reply is sent from the ISAPI connector.
> 
> I'm wondering why the ISAPI redirector checks if "WEB-INF" is occurring in the path, because Tomcat seems to already check if a request is made to the WEB-INF or META-INF directory of an web application, and if so, sends back a normal 404 response. Is this a kind of relict from earlier times? Because I would expect that the ISAPI redirector just passes the request to Tomcat and let Tomcat decide how requests to forbidden directories are handled, without writing an "emergency" log entry. 
> 
That is probably what isapi_redirector does anyway (forward the request to Tomcat, and let 
Tomcat send the 404 response (which may be customised)).
But perhaps the log message in the isapi_redirector log is there for the following reason 
: when Tomcat is hosted on a separate host, it may be nice, on the IIS/isapi_redirector 
host, to have a log entry recording this.  Just in case the IIS-side logs are being 
watched closely, and the Tomcat logs less so.
After all, someone using a URL including WEB-INF or META-INF, is quite likely to be 
someone who /is/ trying to hack the system.

That kind of overlaps the warning in red text that is present on the connectors "how-to" 
pages, like :

However, you should be very careful when you implement the following configuration style, 
because by doing so you are in fact providing a "back-door" to IIS, and allowing it to 
serve files out of a Tomcat context without Tomcat's knowledge, thus bypassing any 
security restrictions which Tomcat itself and the Tomcat context (webapp) may place on 
those files.

Does this log message bother you ? why would you want to /not/ have it ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org