Mark,
I for one an thrilled to see HTTPOnly support for Session Cookies in Tomcat
6.0 get close to fruition.
My oinion is that I think that session cookies should not be tagged as
HTTPOnly for Tomcat 6 by default. (Of course configuration should allow for
turning this on).
I worry that
Regards,
Jim Manico
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Great, Mark,
I'll add this as a bug and take it on.
- Jim
Jim Manico wrote:
URL Rewriting is consider to be a significant security risk (session
ID's get exposed in browser history, bookmarks, proxy servers and other
server-side application logs).
I would like to propose that we
, September 27, 2008 5:58 AM
To: Tomcat Developers List dev@tomcat.apache.org
Subject: Re: Findbugs results when run against Tomcat6
Jim Manico wrote:
Findbugs does a real bad job of findings real security bugs - I would
recommend running the codebase against Fortify + include the new Cigital
Findbugs does a real bad job of findings real security bugs - I would
recommend running the codebase against Fortify + include the new Cigital
rulepack.
Or take a look at the results of the Fortify Open Source Analysis project
https://opensource.fortify.com/teamserver/welcome.fhtml
- Jim
The books have arrived - we are all set!
-Original Message-
From: [EMAIL PROTECTED]
Sent: Thursday, September 25, 2008 11:41 AM
To: dev@tomcat.apache.org
Subject: svn commit: r699015 - /tomcat/current/tc4.1.x/STATUS.txt
Author: rjung
Date: Thu Sep 25 09:41:36 2008
New Revision: 699015
This is a worthwhile post to read regarding path traversal attacks
against tomcat.
http://www.0x00.com/?i=630
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications
I can feel the love. Thanks for your constructive comment, William.
- Jim
Jim Manico wrote:
This is a worthwhile post to read regarding path traversal attacks
against tomcat.
http://www.0x00.com/?i=630
Worthwhile? To note the community frustration against Tomcat parsers?
Must be what
,Queue)
---
Jens Kapitza
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604
: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect
My understanding is that crlf breaks the rfc and leads to http response
splitting attacks.
-Original Message-
From: [EMAIL PROTECTED]
Sent: Tuesday, June 10, 2008 11:50 AM
To: [EMAIL PROTECTED]
Subject: DO NOT REPLY [Bug 45180] New: CRLF Newline characters stripped from
header values
to pass an audit and I don't
really care about security)
- Jim
Mark Thomas wrote:
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat
codebase on a regular basis.
This probably only gives you 10% security coverage at best, but it's
a free report form a $50k tool
PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
Hi devs,
I've been investigating Apache Tomcat within my
research, the Fortify Tomcat report might be a little interesting.
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
Jim
Remy - please consider the Apache guidelines about being respectful on the
public lists.
Key word: please.
- Jim
-Original Message-
From: Remy Maucherat [EMAIL PROTECTED]
Sent: Wednesday, April 23, 2008 7:35 AM
To: Tomcat Developers List dev@tomcat.apache.org
Subject: Re: Osgifing
be the problem where to look. Why the Service keeps
working as long as I keep calling but stops working if I call after couple
of hours. Is there
any settings I need to make on Tomcat as I am new to Tomcat so have no idea
where to look.
Any help is appreciated.
Thanks
--
Jim Manico
Senior
wireless *just found* that this
is invalid, told him personally, and then revoke the commit again.!
cheers, Guen.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim
]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico
Senior Application Security Engineer
Aspect Security
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Gentlemen,
As a blatant bribery attempt - I live and work on the island of Kauai in
Hawaii.
Whomever commits this
*https://issues.apache.org/bugzilla/show_bug.cgi?id=44382*
Will win a free stay in my guest house. :) Food included. Zip code
96703, 5 minutes from the beach.
=D
--
Jim
Tequila, tents, food and wireless access provided!!! Tomcat coding party
at Jim's house!
nice, since we work RTC (Review-Then-Commit) you're gonna have to extend
this invitation to everyone who votes for the patch's inclusion :)
Lol
Filip
Beer provided ?
Jim Manico
consideration would be greatly appreciated. Please at least
review before you jump down my throat, Remy! :)
Best,
Jim Manico
[EMAIL PROTECTED]
Senior Application Security Engineer
Aspect Security / OWASP.org
-
To unsubscribe
I'm continuing to do a security review of Tomcat 5.5 for my company. I
noticed that linefeeds get ripped out of header values which stops
header injection attacks cold. Whoever did this, I commend you. Many
other containers do not. You Rock.
Can anyone point me to the code that does this?
Thank you very much, Mark and Filip.
- Jim
Jim Manico wrote:
I'm continuing to do a security review of Tomcat 5.5 for my company.
I noticed that linefeeds get ripped out of header values which stops
header injection attacks cold. Whoever did this, I commend you. Many
other containers do
According to Daniel Stenberg, Cookies are not even *mentioned* in RFC2616
Per http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0623.html
On Tue, 18 Mar 2008, Jim Manico wrote:
Are there any efforts underway to support the HttpOnly cookie directive
within any version of the HTTP
Right, but are there any active cookie standards that can be amended?
7 /12 year old standards are not very valid or useful in the fast-moving
internut world.
- Jim
The standard is only 7 1/2 years old;
http://www.ietf.org/rfc/rfc2965
Jim Manico wrote:
According to Daniel Stenberg, Cookies
Rely,
This is not a ms hack, but a security enhancement supported by all
browsers. Do some research and get back to us.
Jim
On Mar 10, 2008, at 5:33 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
On Sun, 2008-03-09 at 19:56 -0700, Filip Hanik - Dev Lists wrote:
haven't forgotten about you,
Remy,
I recommend more careful research on this topic.
IE 6+ supports HttpOnly
FireFox 2.0.0.6+ support HttpOnly
Opera 9.5+ has promised HttpOnly support
Safari is still considering
On Mon, 2008-03-10 at 08:16 -0400, Jim Manico wrote:
Rely,
This is not a ms hack, but a security
Gentlemen,
I'd like to make a suggestion to add HTTPOnly support to Tomcat 5.5 (for
starters). This is a significant security enhancement that will assist
in preventing XSS attacks.
http://msdn2.microsoft.com/en-us/library/ms533046.aspx
Since the javax core is a sacred portion of the
Remy,
I think it would serve you to review the proposed Apache code of conduct
at http://wiki.apache.org/incubator/CodeOfConduct
*Motto*
*Core Value*
* Put community before code. *
* collaboration *
Let they that do the work make the decisions.
, such as reflective XSS due to poor
input validation. Low risk as Filip saz, but a security problem
none-the-less.
- Jim
Filip Hanik - Dev Lists wrote:
Jim Manico wrote:
I guess we could throw a run time exception if the value contained
any of those. other than that, I'm not sure how to behave
I think
Filip - you are 100% correct on this thread. Are you basically the
traffic cop guarding the core of Tomcat?
- Jim
Mark Thomas wrote:
Remy Maucherat wrote:
Filip Hanik - Dev Lists wrote:
Jim Manico wrote:
I guess we could throw a run time exception if the value
contained any of those
That post was meant to go to Filip only, since he is an old friend. I
was not trying to poke fun at your perspective on this public list,
Remy. I'm going exit stage left and stop adding my thoughts to this thread.
My apologies.
- Jim
On Sun, 2008-02-10 at 11:44 -0500, Jim Manico wrote
response.addCookie(new Cookie(test_cookie3, 123===)) looks like
something which should be working.
Honestly, this is not user driven - it's only server programmer driven.
I would dare to say this is either absolutely horrible server side
programming or a possible attempt at a hack/attack
Filip,
Would you consider auto-encoding only = and ; in the cookie value, but
leaving everything else alone for v0 cookies? Would this possibly pass TCK?
- Jim
no regression, if you do this
c = new javax.servlet.http.Cookie(abcv1,123==);
c.setVersion(1);
response.addCookie(c);
then it
What about making
//cookies v0
c = new javax.servlet.http.Cookie(abcv0,123==);
response.addCookie(c);
At least throw some kind of malformedCookieData exception instead of
just failing gracefully to accelerate programmers ability to upgrade
legacy systems?
- Jim
On Sat, 2008-02-09 at 16:14
I guess we could throw a run time exception if the value contained
any of those. other than that, I'm not sure how to behave
I think this is the best case scenario for v0 cookies. Perhaps, if you
really want to get fancy, you can add a flag to let legacy solutions
roll back to the
we fixed the cookie behavior in this release due to security issues
filed against the old parsing.
Gotchya, Filip. Makes sense.
What about the Runtime exception? That might at least allow legacy
systems to debug this problem fast. Fail Quietly doesn't seem like a
good solution.
- Jim
Jim
I would like to add HTTPOnly support to the tomcat session handler
I added a bugzilla item
http://issues.apache.org/bugzilla/show_bug.cgi?id=44382
Thoughts would be greatly apprecited
Jim Manico, Senior Application Security Engineer
mailto:[EMAIL PROTECTED] [EMAIL
.
Best,
Jim Manico
the latest JDK and JRE.
We suspect this is an issue with Tomcats classloader.
Any suggestions?
Jim Manico
VP Software Engineering
CodeMagi, Inc.
808-652-3805 cell
801-606-7888 fax
[EMAIL PROTECTED]
42 matches
Mail list logo