-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark and Michael,
On 10/10/18 05:15, Mark Thomas wrote: > On 08/10/18 21:55, Michael Yoder wrote: >> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas <ma...@apache.org> >> wrote: >>> CVE-2018-11784 Apache Tomcat - Open Redirect >> >> Is it possible to get more information on the "specially crafted >> URL"? I'd like more information so that I can test if some of our >> apps are vulnerable. > > Generally, there is a balance to strike here between making it easy > for the less technically competent attackers to construct an attack > and making it easy for end users to figure out if they are > vulnerable. The way we typically do this is by describing the > conditions necessary for an attack to be possible as completely as > possible but not providing details of how to perform an attack. > > We also provide references to the commit that fixed the issue. For > someone with the right skills, there is usually enough information > in the description and the commit for a successful attack to be > reverse engineered. It doesn't look like Sergey has posted anything (that I can find) that might be called a full disclosure. If he had, I'd point it out. If I were you, I'd just make sure that you either (a) upgrade or (b) use the existing settings to mitigate the potential problem, as described in the announcement. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu+C0QACgkQHPApP6U8 pFhCJQ/9Gw/G8dw46y4ItHFCsPTDiTxGenxMmVAlxt7kisblb8H3o9vK8PU96+PD Nb44/Vf5hp5XKN5Xuu3czyNjQ2l0QFb/WxZyqSnlWPEWOQs7a6ZFez9MQZ1W1H13 t6qRCSgcOWcrHvXBKjshspHzY6XeQq2Q5kzHntbVZKjQMQif/Cd73XYX0/GIukcF 4tKhQIXRNh99/NOsw6Ot+DgVjksVhVgg62sOuAe7gUh/UNginc07JvYBa9rKgAz+ JP3Z+PvUyCJFzGSoT1cYAniU+ZNiayquEmMxVeJ4VX6ZK2PMhPjEt58yD3NTOCaN fAE7ct9UICZ8g9WP22OcTAfaYgUSBGSCOxd7DkqM/o06Lv2bTsiWYtOr8bhHNnrO S7hJJ5a6Tm7TbN4Insm+BQhvts5FeDAsKM92TWGTrAZ52LEhdS2twsRcmCQDE69z +mmjRTl+W9UTxl6JTmDHj10d/aWYaA3f2SpZ4A18rRP4JSXQm7Ls/st8hR/TwdKC LsQ9RnmrDLgtSyql9keWhwaD28iQix5KgfFXOLrByCByzORnbP3z9VEu1knO1r1f Voe8wq8lDf56vRsr5VjjqSgmkeabtz8uxymOSbt8b3spQ6Q2J7y86MDA3/I7ZjTx cqgS2JyYAgtlD6vyiNeYRG14XBly3vFZeoCmw6CKFSTFSdK8r3I= =2IHD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
