Tomcat 4.x security issue in protected environment

[Rashma N <ra...@yahoo.co.in>]

Hi,
 
We are using Tomcat 4.0.4 in our product. We have a daemon which is a wrapper around the tomcat.
 
We are facing one security issue with the Tomcat. If we send a HTTP packet with a long string in the Host field, it closes the connection.
EX: 
>>telnet <machine> <port on which tomcat is running>
GET /index.html HTTP/1.1
Host: <very long string>
------------
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Fri, 14 Oct 2005 05:16:57 GMT
Connection: close
Server: Apache Tomcat/4.0.4 (HTTP/1.1 Connector)
Connection closed by foreign host.

Though tomcat closes the connection, somewhere it is overwriiting the memory and not cleaning up the buffer/ memory which holds this host string. Because of this, applications which are already launched through the tomcat webserver gets the exception and our daemon dies.
 
Can somebody help me in figuring out 
1.Is this a know issue with the tomcat?
2.If yes, can I get a patch on top of Tomcat 4x where the above problem is fixed?
 
Any pointers on this would be of great help!!!
 
Thanks,
Rashma


		
---------------------------------
How much free photo storage do you get? Store your friends n family photos for FREE with Yahoo! Photos. 
 http://in.photos.yahoo.com

Re: Tomcat 4.x security issue in protected environment

[Mark Thomas <ma...@apache.org>]

The short answers are:
1. No
2. No

The longer answer is:
This is categorically *not* a security issue with Tomcat. I have tested
this and Tomcat continues to operate correctly after a request with a
"very long" host header. This looks to me like an issue with your daemon.

And a few tips for future postings:
The phrase "very long" is totally useless. How long is a (very long)
piece of string? You need to be specific when discussing potential bugs
on tomcat-user if people are going to stand a chance of reproducing what
you are seeing.

Don't speculate wildly on the root cause of an issue. If you know know
something, don't say anything or better yet say you don't know.
Inaccurate speculation presented as fact undermines your credibility and
significantly reduces your chances are receiving a response.

Finally, a public mailing list is not the right place to raise potential
security issues.

Mark

Rashma N wrote:
> Hi,
>  
> We are using Tomcat 4.0.4 in our product. We have a daemon which is a wrapper around the tomcat.
>  
> We are facing one security issue with the Tomcat. If we send a HTTP packet with a long string in the Host field, it closes the connection.
> EX: 
> 
>>>telnet <machine> <port on which tomcat is running>
> 
> GET /index.html HTTP/1.1
> Host: <very long string>
> ------------
> HTTP/1.1 400 Bad Request
> Content-Type: text/html
> Date: Fri, 14 Oct 2005 05:16:57 GMT
> Connection: close
> Server: Apache Tomcat/4.0.4 (HTTP/1.1 Connector)
> Connection closed by foreign host.
> 
> Though tomcat closes the connection, somewhere it is overwriiting the memory and not cleaning up the buffer/ memory which holds this host string. Because of this, applications which are already launched through the tomcat webserver gets the exception and our daemon dies.
>  
> Can somebody help me in figuring out 
> 1.Is this a know issue with the tomcat?
> 2.If yes, can I get a patch on top of Tomcat 4x where the above problem is fixed?
>  
> Any pointers on this would be of great help!!!
>  
> Thanks,
> Rashma
> 
> 
> 		
> ---------------------------------
> How much free photo storage do you get? Store your friends n family photos for FREE with Yahoo! Photos. 
>  http://in.photos.yahoo.com




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org