Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 7515 invoked from network); 2 Mar 2002 05:47:11 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 2 Mar 2002 05:47:11 -0000 Received: (qmail 9790 invoked by uid 97); 2 Mar 2002 05:47:13 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 9774 invoked by uid 97); 2 Mar 2002 05:47:13 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 9763 invoked from network); 2 Mar 2002 05:47:12 -0000 Message-ID: <051a01c1c1ad$e01f86b0$6501a8c0@apache.org> From: "Remy Maucherat" To: "Tomcat Developers List" References: <04d801c1c19a$f9848320$6501a8c0@apache.org> <3C805E4B.3FE4A24C@voyager.apg.more.net> Subject: Re: [ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release Date: Fri, 1 Mar 2002 21:48:26 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Spam-Rating: localhost.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N > Remy Maucherat wrote: > > > > A security vulnerability affecting the sandboxing provided by the Java > > Security Manager has been discovered. The request dipatcher functionality of > > the Servlet API could be used by a malicious servlet or JSP page to get > > access to any resource located on the server's filesystem, bypassing the > > Security Manager protection. > > > > Note: People who are not using Tomcat with the Security Manager are not > > affected by this problem, and do not need to upgrade. > > > > This statement is misleading. I reviewed the bug report and patch. > The security bug had nothing to do with the SecurityManager implementation > itself. It was due to the file path not being normalized before getting > the RequestDispatcher for it. Tomcat would be vulnerable to this regardless > of whether it was running with the SecurityManager or not. > > In fact if you were running Tomcat with the SecurityManager enabled and > a strict catalina.policy which restricted file access with FilePermissions > you would be less vulnerable than Tomcat running without the SecurityManager. > > Sorry this is a a few hours too late for the announcement. > > Perhaps a followup announcement could be made to correct this. I agree, but if you don't have the security manager, a malicious servlet could already use direct filesystem access to read any file on the server, which is a lot easier to use than this vulnerability. So the vulnerability doesn't make it more insecure (but it's still a spec compliance bug). OTOH, if you have the security manager, you're supposed to be protected, regardless of whether or not there's a bug in the request dispatcher. Remy -- To unsubscribe, e-mail: For additional commands, e-mail: