You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/07/19 10:01:22 UTC
[Bug 66170] New: change IllegalArgumentException log output
https://bz.apache.org/bugzilla/show_bug.cgi?id=66170
Bug ID: 66170
Summary: change IllegalArgumentException log output
Product: Tomcat 9
Version: 9.0.64
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: apache@resellerdesktop.de
Target Milestone: -----
ATM we get this output in the logs, when a hacker tries to scan for
vulnerability:
Juli 19, 2022 11:45:22 VORM. org.apache.coyote.http11.Http11Processor service
INFORMATION: Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Ungültiges Zeichen im Methodennamen
[ep.zyxel80;rm+-rf+arm7%3b%23&remoteSubmit=Save0x0d0x0a0x0d0x0a...] gefunden.
HTTP Methodennamen müssen Token sein
at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:419)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:271)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1787)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)
This is as helpfull as a rotten tomato, because:
a) Nobody cares for this stacktrace, the error message is important.
b) the offending IP is not logged, so you can't defend the server against that
attacker.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66170] change IllegalArgumentException log output
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66170
--- Comment #1 from Don't show my email <ap...@resellerdesktop.de> ---
a helpful log message would :
IP: what happend : offending line of http request
it needs to parseable by NIDS systems
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66170] change IllegalArgumentException log output
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66170
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Different users consider those messages useful. If you don't want to see them
then you can disable them via configuration. See the docs for the
org.apache.juli.logging.UserDataHelper.CONFIG system property.
If you want to provide a feed to an NIDS then you would be better off looking
in the access logs for 400 responses. Ones that report a null URI are
particularly likely candidates as that indicates that the request was so
malformed, Tomcat could not reliably parse the URI.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org