From users-return-243089-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org  Wed Aug  7 10:35:53 2013
Return-Path: <users-return-243089-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9E45110AFF
	for <apmail-tomcat-users-archive@www.apache.org>; Wed,  7 Aug 2013 10:35:53 +0000 (UTC)
Received: (qmail 7588 invoked by uid 500); 7 Aug 2013 10:35:50 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 7477 invoked by uid 500); 7 Aug 2013 10:35:50 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 7468 invoked by uid 99); 7 Aug 2013 10:35:49 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Aug 2013 10:35:49 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of knst.kolinko@gmail.com designates 74.125.82.54 as permitted sender)
Received: from [74.125.82.54] (HELO mail-wg0-f54.google.com) (74.125.82.54)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Aug 2013 10:35:45 +0000
Received: by mail-wg0-f54.google.com with SMTP id e12so1383852wgh.9
        for <users@tomcat.apache.org>; Wed, 07 Aug 2013 03:35:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=fl7Ei4b5atgsVg/TD/QFWDaVIsUP+24hOkD3xen+1Qo=;
        b=xJhD7JK8VEXbk4F2pEFwnqMtLSjBLdAD11cfESIGx21T6RnkE0lyHohQCWHbRHjzYS
         zak6x+brG1Sd1hKYT9pBZVM9pY95PVwy1LLVsYHb34XVFIWV7Tl+HTXgcwAe5+TiLrXI
         ZVm55Z82t1SjS1KJwnbH58aH9fuXds0/Pdgyd+dDfGmE8uqx9McpLTI7ndeBBL2qwYsb
         KgigL45xwh8Hs2dSJEGADKrotCFekJCjOXm07ZnE8zO4jidFlUGcaoUo6pwr8nIwfSR6
         l7NOdSTTI4EQtVqLbk37Mbi7DSfIvTwqNuq4uLzH91X01/SFyIBCaZWPdWGHqzt+T1Jc
         lNkQ==
MIME-Version: 1.0
X-Received: by 10.180.126.2 with SMTP id mu2mr1721100wib.63.1375871724177;
 Wed, 07 Aug 2013 03:35:24 -0700 (PDT)
Received: by 10.216.161.196 with HTTP; Wed, 7 Aug 2013 03:35:24 -0700 (PDT)
In-Reply-To: <65BE686C590EFD4A94F5EEFE17528D6602E31CAC@exchange.kantega.lan>
References: <65BE686C590EFD4A94F5EEFE17528D6602E31CAC@exchange.kantega.lan>
Date: Wed, 7 Aug 2013 14:35:24 +0400
Message-ID: <CABzHfV=09_5Dh0a2K5ageqXCsgOdjfv-ZnAEO_bx+eef8yiP+A@mail.gmail.com>
Subject: Re: Responses of two different requests concatinated
From: Konstantin Kolinko <knst.kolinko@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Cc: "users@httpd.apache.org" <users@httpd.apache.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

2013/8/7 Marvin Lillehaug <Marvin.Lillehaug@kantega.no>:
> Hi!
> We recently got an error report from a user of one of the systems we have=
 developed, showing that the response from a different request had been app=
ended to the original response.
> The original response was the front page of a site, generated with jsp, a=
nd the appended response was a excel file generated a few seconds earlier.
> Our current hypothesis is that some buffer in either httpd(2.2.22) or Tom=
cat (7.0.35) has been recycled.
> Httpd is connected to Tomcat using http proxypass.
>
> I have started trying to reproduce the problem, but thought I should try =
the mailing lists of both httpd and tomcat before continuing.
> What I have done thus far is: concatenating html and excel to verify that=
 it is possible to open and looks the way the user experienced; building a =
custom version of Tomcat that uses the same Processor for each request and =
configured to use only one thread.
>
> This seems a bit similar to the issue described in http://tomcat.apache.o=
rg/security-7.html#Fixed_in_Apache_Tomcat_7.0.12 (CVE-2011-1475)
> Some results when googleling suggests that this could happen when jsp tag=
s are not coded properly, but I have not found any such code in our applica=
tions.
>
> Does anyone have any ideas or suggestions?
>

Usual culprit is a bug in web application that uses request/response
objects outside of their life cycle.

The first step that I'd recommend is to set
org.apache.catalina.connector.RECYCLE_FACADES=3Dtrue
for better security and to ease detection of such misuse.

See
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#System_Properti=
es
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html

There is also exists a known issue in Java ImageIO API,
https://wiki.apache.org/tomcat/FAQ/KnownIssues#ImageIOIssues

There also exists CVE-2013-2071 (fixed in 7.0.40).


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org