DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=5004>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=5004 /a/b/c/nonexistent.jsp -> a file and directory chain created. attack risk Summary: /a/b/c/nonexistent.jsp -> a file and directory chain created. attack risk Product: Tomcat 4 Version: 4.0.1 Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Jasper AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Both for Tomcat 3.3 and 4.0.1 if we do a request /a/b/c/nonexistent.jsp while such file does not exist in the temporary dir where the compiled jsp-s are stored a/b/c directory chain is created and a file some empty or 1-byte size file is created with a name derived from nonexistent.jsp. (the file name differes between 3.3 and 4.0.1) Now imagine that someone does the following request 1/1/1/1/1/1 .. (32 directories) .. 1/1/1.jsp this will cause creation of 32 directories and 1 file. Then imagine he calls 2/2/2/... 2/2.jsp 3/3/3/.... 3/3.jsp and so forth. Every request will trigger creation of 32 directory and 1 file. On some file systems it can happen that 1 directory may take 4kb of disk space. That is 4 x 32 = 128kb per request. 2 requests per second x 3600 -> over 900 Mb per hour. This is a significant disk space leakage. This how a potential dos attack against Tomcat can be constructed -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>