[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 --- Comment #8 from mingxuan --- Thank you very much. Your explanation is authoritative. This problem is really caused by Web's arbitrary path uploading and CGI arbitrary resolution. And left behind CGI's script back door. This should really be a problem for web application developers. Thank you again! Aiming at this problem. I can also be bold enough to tell web developers. This is not the problem of Tomcat. It is caused by the loopholes in the web application itself. ;) I hereby apologize to Remy Maucherat. I am stubborn. So sorry! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 --- Comment #7 from Mark Thomas --- Speaking as a member of both the Tomcat and ASF security teams: I whole-heartedly endorse everything Rémy said in comment #3. There is no vulnerability here. By design, the CGI servlet executes what it is told to. That is entirely under the application developers control. It is irrelevant what file extensions the developer has chosen to give to the files the developer has configured the CGI Servlet to execute. Separately, if an application developer is foolish enough to allow the uploading of arbitrary files from untrusted users to a location that permits them to be executed then that would be an application vulnerability, not a Tomcat vulnerability. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 --- Comment #6 from mingxuan --- Well. Thank you very much! Thank you! I'll send an e-mail to the security team. Ha-ha! I always feel like a problem。。。 ;) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 --- Comment #5 from Remy Maucherat --- Yes, obvious security concerns should always be discussed on the security mailing list. At this time, the CGI servlet treats as CGI any mapped path. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 --- Comment #4 from mingxuan --- Thank you very much for your reply. If there are safety problems. Is it a direct email to secur...@tomcat.apache.org? I still think there is a risk. Because CGI has been opened. Upload it to this directory for web. Regardless of JPG or txt, he performs corresponding scripts. What do you think? Thank you very much. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 Remy Maucherat changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID OS||All --- Comment #3 from Remy Maucherat --- You MUST report potential security issues to security @ tomcat.apache.org, never in a public BZ. There is no vulnerability here however, the CGI servlet does not do anything with the path suffix (or file extension), if will simply attempt to execute any path mapped to it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 mingxuan changed: What|Removed |Added OS|All |Mac OS X 10.13 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 mingxuan changed: What|Removed |Added OS||All --- Comment #2 from mingxuan --- Tomcat CGI suffix name arbitrary resolution vulnerability -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844 --- Comment #1 from mingxuan --- Created attachment 36203 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36203=edit Please refer to the annex for details. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org