tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Lillehaug <Marvin.Lilleh...@kantega.no>
Subject RE: Responses of two different requests concatinated
Date Wed, 07 Aug 2013 15:25:04 GMT
Thank you both for your replies :)
I only have a screenshot of how it looked to the user, so I don't know whether the headers
was included. 

I have given up trying to investigate further, so I guess the only thing to do is to activate
RECYCLE_FACADES and hope for the best.

-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com] 
Sent: Wednesday, August 07, 2013 12:35 PM
To: Tomcat Users List
Cc: users@httpd.apache.org
Subject: Re: Responses of two different requests concatinated

2013/8/7 Marvin Lillehaug <Marvin.Lillehaug@kantega.no>:
> Hi!
> We recently got an error report from a user of one of the systems we have developed,
showing that the response from a different request had been appended to the original response.
> The original response was the front page of a site, generated with jsp, and the appended
response was a excel file generated a few seconds earlier.
> Our current hypothesis is that some buffer in either httpd(2.2.22) or Tomcat (7.0.35)
has been recycled.
> Httpd is connected to Tomcat using http proxypass.
>
> I have started trying to reproduce the problem, but thought I should try the mailing
lists of both httpd and tomcat before continuing.
> What I have done thus far is: concatenating html and excel to verify that it is possible
to open and looks the way the user experienced; building a custom version of Tomcat that uses
the same Processor for each request and configured to use only one thread.
>
> This seems a bit similar to the issue described in 
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.12 (CVE-2011-1475)
Some results when googleling suggests that this could happen when jsp tags are not coded properly,
but I have not found any such code in our applications.
>
> Does anyone have any ideas or suggestions?
>

Usual culprit is a bug in web application that uses request/response objects outside of their
life cycle.

The first step that I'd recommend is to set org.apache.catalina.connector.RECYCLE_FACADES=true
for better security and to ease detection of such misuse.

See
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#System_Properties
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html

There is also exists a known issue in Java ImageIO API, https://wiki.apache.org/tomcat/FAQ/KnownIssues#ImageIOIssues

There also exists CVE-2013-2071 (fixed in 7.0.40).


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message