I completely agree with Marc. This is a very serious problem and if I
understand Thom's mail right, it affects ALL realms including SimpleRealm,
JDBCRealm etc.
I also request others using tomcat auth to revisit their applications and
make sure users and roles are being assigned properly. Perhaps many may be
hit by this problem but have not discovered it yet. Without a solution to
this problem I will have to redesign security for my application and that
will blow my project plan!
We already seem to have a solution posted by Thom Park. Can someone from
tomcat dev please consider it and release a patch?
Please help.
Rajesh
>From: Marc Palmer <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Re: Auth bug in 3.2.1?
>Date: Sat, 14 Apr 2001 08:08:21 GMT
>
> >Hi Marc,
> >I saw this problem in 3.2.1 as well - I made a fix for it in the tomcat
>that ships with the Borland AppServer >but
> >couldn't get anyone to comment on the fix in the main code-line
>(essentially I'm not a commiter so couldn't >submit the fix)
>Hi Thom,
>Thanks for the info. Can someone from the Tomcat development team please
>comment on this? I would have thought that this was quite a serious
>security problem – am I wrong?
>The way I see it, the bug could lead to anybody grabbing another user's
>role while appearing to be somebody else. This is certainly possible if
>you use somebody else's PC after they have. It may be even worse if you
>can also do this from a different PC – essentially getting a "random"
>role that somebody else already "provided" by logging in. Not to mention
>plain old failure in the case where a higher "privileged" person get's a
>lower privileged role allocated. It's not clear at this time whether the
>principal caching is tied to IP or "per pooled connection". If the
>latter, it's a bit more scary.
>So once again, can someone from the Tomcat team PLEASE comment on this
>problem and whether a fix is being implemented? Perhaps there is too much
>work/redesign going on in 4.0 for people to consider patching 3.2.x but I
>would have thought this is pretty essential, and perhaps even merits a
>post to the BUGTRAQ mailing list. We already have 3 confirmed "sufferers"
>– who knows how many systems that depend on tomcat have slipped through
>the net and represent significant authentication breaches?
>
>Cheers
>
>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
