www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabien Campagne <campa...@inka.mssm.edu>
Subject mod_jserv/5261: JServ1.1b3 reject connections other than from localhost 127.0.0.1 (whatever the configuration)
Date Fri, 05 Nov 1999 14:27:57 GMT

>Number:         5261
>Category:       mod_jserv
>Synopsis:       JServ1.1b3 reject connections other than from localhost 127.0.0.1 (whatever
the configuration)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jserv
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Nov  5 06:30:02 PST 1999
>Last-Modified:
>Originator:     campagne@inka.mssm.edu
>Organization:
apache
>Release:        1.3.9
>Environment:
reproducible on Solaris 2.7 and SGI 6.5, OS independant (problem in the
the JServ java servlet engine).

>Description:


JServ1.1b3, java JServ rejects connections that do not originate from
localhost, whatever the value of the security.allowedAddresses property.

This is serious/critical: It prevents from using JServ1.1b3 
with JServ engines on different hosts than the web server.

>How-To-Repeat:
Configure JServ so that 
security.allowedAddresses=127.0.0.1,x.y.z.X (x.y.z.X is the
IP of the same machine, network interface).

Then, with telnet, try the connection:

telnet localhost 8007
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
]KH[W
Connection closed by foreign host.




telnet x.y.z.X 8007
Trying x.y.z.X...
telnet: Unable to connect to remote host: Connection refused

On the Contrary, changing nothing to the configuration but
replacing the ApacheJServ1.1b3 jar by the 1.0 version gives:
 telnet localhost 8007
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
H]

Connection closed by foreign host.
telnet x.y.z.X 8007
Trying x.y.z.X...
Connected to gprotein.physbio.mssm.edu.
Escape character is '^]'.
Q>H]
Connection closed by foreign host.

>Fix:
I will reinstall JServ1.0. I did not look into the code differences
between 1.0 and 1.1b3.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message