Damn,
should not read/write emails on Sunday - thanks a million,
Cheers,
S.
On 24 Jun 2007, at 17:52, Rainer Jung wrote:
You didn't really read the part of the page I referred to and
instead decided to read the CVE. The page I sent you will tell you
about System properties that make the behaviour configurable.
Sebastian Kruk wrote:
Thanks,
so if I got it right - due to some security reasons:
"Directory traversal vulnerability in Apache HTTP Server and
Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain
proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote
attackers to read arbitrary files via a .. (dot dot) sequence with
combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-
encoded backslash (%5C) characters in the URL, which are valid
separators in Tomcat but not in Apache."
... I cannot use sequence of .. (dot dot), /, \ and %5C
Yes, but, it is strange since I do have neither (dot dot) nor %5C
nor \ [we cannot ban / completely, right?],
Tomcat seems to be reacting strange on %2F, which have to be
URLEncoded, since this is a URI I am passing to an internal
procedure,
if this URI is not URL encoded - than my regexp defined REST
services endpoints will freak out and consider only all they will
see till / as a parameter.
As I said before - it seems that Tomcat is sensitive to a %2F in
my URI, which is not on the list above.
http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%3A
%2F%2Fdmoz.org%2FTop Can you, please, explain what is wrong with
this URI? I got a feeling that although the CVE-2007-0450 might be
important, it has been implemented in wrong way?
Thanks,
Sebastian
On 24 Jun 2007, at 16:09, Rainer Jung wrote:
Look for "CVE-2007-0450" in
http://tomcat.apache.org/security-6.html
Regards,
Rainer
Sebastian Kruk wrote:
Hello,
just a quick question. Why URI like the following:
http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%
3A%2F%2Fdmoz.org%2FTop result in error 400 - incorrect URI -
noSlash error in Tomcat 6.0.13,
but were correctly handled in Tomcat 5.5 ?
After investigating a little I have noticed that the problem is
in %2F sequence (URI encoding of /).
Is there any HTTP specification detail that I have missed or is
it, as I think it is, a bug in Tomcat 6?
Thanks for any hints,
Cheers,
Sebastian
--------------------------------------------
-- Sebastian Ryszard Kruk
-- Lead Researcher, Project Manager
-- Semantic Infrastructure Lab, eLearning Cluster
-- Digital Enterprise Research Institute-- National
University of Ireland, Galway-- mailto: [EMAIL PROTECTED]
-- GG: 335067, Jabber: [EMAIL PROTECTED]
-- Skype: sebastiankruk
-- WWW: http://www.sebastiankruk.com/-- mobile (IRL): +353
85 7126591
-- VoIP (PL): +48 52 5110114
--------------------------------------------
-------------------------------------------------------------------
--
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
--
kippdata
informationstechnologie GmbH Tel: 0228 98549 -0
Bornheimer Str. 33a Fax: 0228 98549 -50
53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
===============================
kippdata
informationstechnologie GmbH Tel: +49 228 98549 -0
Bornheimer Str. 33a Fax: +49 228 98549 -50
D-53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
--------------------------------------------------------------------
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------
-- Sebastian Ryszard Kruk
-- Lead Researcher, Project Manager
-- Semantic Infrastructure Lab, eLearning Cluster
-- Digital Enterprise Research Institute-- National University
of Ireland, Galway-- mailto: [EMAIL PROTECTED]
-- GG: 335067, Jabber: [EMAIL PROTECTED]
-- Skype: sebastiankruk
-- WWW: http://www.sebastiankruk.com/-- mobile (IRL): +353 85
7126591
-- VoIP (PL): +48 52 5110114
--------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
--
kippdata
informationstechnologie GmbH Tel: 0228 98549 -0
Bornheimer Str. 33a Fax: 0228 98549 -50
53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
===============================
kippdata
informationstechnologie GmbH Tel: +49 228 98549 -0
Bornheimer Str. 33a Fax: +49 228 98549 -50
D-53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------
-- Sebastian Ryszard Kruk
-- Lead Researcher, Project Manager
-- Semantic Infrastructure Lab, eLearning Cluster
-- Digital Enterprise Research Institute
-- National University of Ireland, Galway
-- mailto: [EMAIL PROTECTED]
-- GG: 335067, Jabber: [EMAIL PROTECTED]
-- Skype: sebastiankruk
-- WWW: http://www.sebastiankruk.com/
-- mobile (IRL): +353 85 7126591
-- VoIP (PL): +48 52 5110114
--------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
