Mitigating AJP CPing/Forward-Request packet forgery before next releases

[Christopher Schultz <ch...@christopherschultz.net>]

All,
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Mark's official report to the users' list indicates that setting a
"secret" for the AJP connection does the trick. (I tried this myself
before digging-up his message and can confirm that the sample code fails
when a "secret" is set).

Should we mention this on the Security page directly for those who
didn't read the announcement on the users' list?

Thanks,
-chris

Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases

[Mark Thomas <ma...@apache.org>]

On 08/09/2011 21:22, Christopher Schultz wrote:
> Mark,
> 
> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>> Should we mention this on the Security page directly for those
>>> who didn't read the announcement on the users' list?
>> 
>> No reason why not. Go for it.
> 
> Also, security-5.html says that Tomcat 5.0.0 - 5.0.33 are affected.
> It should probably be 5.5.0-5.5.30, right?

It should say all 5.5.x versions up to the latest - 5.5.33 - are
affected. 5.0.x is almost certainly affected but since we stopped
supporting that we no longer check if it is vulnerable nor report on it.

I'll fix that in a tick.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases

[Christopher Schultz <ch...@christopherschultz.net>]

Mark,

On 9/8/2011 11:47 AM, Mark Thomas wrote:
> On 08/09/2011 16:13, Christopher Schultz wrote:
>> Should we mention this on the Security page directly for those who 
>> didn't read the announcement on the users' list?
> 
> No reason why not. Go for it.

Also, security-5.html says that Tomcat 5.0.0 - 5.0.33 are affected. It
should probably be 5.5.0-5.5.30, right?

-chris

Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases

[Mark Thomas <ma...@apache.org>]

On 08/09/2011 21:13, Christopher Schultz wrote:
> Mark,
> 
> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>>> 
>>> Mark's official report to the users' list indicates that
>>> setting a "secret" for the AJP connection does the trick. (I
>>> tried this myself before digging-up his message and can confirm
>>> that the sample code fails when a "secret" is set).
>>> 
>>> Should we mention this on the Security page directly for those
>>> who didn't read the announcement on the users' list?
>> 
>> No reason why not. Go for it.
> 
> Okay. Any idea if mod_proxy_ajp supports the shared secret?

No idea at all off the top of my head. I'd be surprised if it didn't
since the mod_proxy_ajp code started with the mod_jk code.

> The documentation is so light on actually using mod_proxy_ajp that
> it might be supported ("ProxyPass /foo ajp://bar secret=changeit"?)
> but completely undocumented in the httpd documentation.
> 
> This is all I could find:
> 
> http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBcQFjAA&url=http%3A%2F%2Fwww.gossamer-threads.com%2Flists%2Fapache%2Fdev%2F332363&rct=j&q=mod_proxy_ajp%20secret&ei=fCFpTtWRAuPL0QGUo-CDDA&usg=AFQjCNHOT2d5i5zlmL06G4eoMG5skYTkVw&cad=rja

What
> 
is wrong with looking at the source code? I'm no c programmer but
it looks like the necessary code is in place. Probably quicker to just
try it to confirm it.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases

[Christopher Schultz <ch...@christopherschultz.net>]

JF,

On 9/9/2011 7:02 AM, jean-frederic clere wrote:
> Yep. We need a directive to set the secret in httpd, I will discuss that
> in httpd dev list.

Thanks for the confirmation.

-chris

Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases

[jean-frederic clere <jf...@gmail.com>]

On 09/08/2011 11:58 PM, Konstantin Kolinko wrote:
> 2011/9/9 Christopher Schultz<ch...@christopherschultz.net>:
>> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>>> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>>>>
>>>> Mark's official report to the users' list indicates that setting a
>>>> "secret" for the AJP connection does the trick. (I tried this
>>>> myself before digging-up his message and can confirm that the
>>>> sample code fails when a "secret" is set).
>>>>
>>>> Should we mention this on the Security page directly for those who
>>>> didn't read the announcement on the users' list?
>>>
>>> No reason why not. Go for it.
>>
>> Okay. Any idea if mod_proxy_ajp supports the shared secret? The
>> documentation is so light on actually using mod_proxy_ajp that it might
>> be supported ("ProxyPass /foo ajp://bar secret=changeit"?) but
>> completely undocumented in the httpd documentation.
>>
>> This is all I could find:
>> (..)
>>
>
> I understand that the sources for that module for the current HTTPD
> branch are in the following place in ASF svn:
> /httpd/httpd/branches/2.2.x/modules/proxy/
>
> The only code that mentions "secret" is in ajp_header.c there (besides
> a constant declared in ajp_header.h) and it is commented out
>
> /* XXXX need to figure out how to do this
>      if (s->secret) {
>
>
> There is no parameter or local variable named "s" in that method, so
> it probably originates from mod_jk.

Yep. We need a directive to set the secret in httpd, I will discuss that 
in httpd dev list.

Cheers

Jean-Frederic

>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases

[Konstantin Kolinko <kn...@gmail.com>]

2011/9/9 Christopher Schultz <ch...@christopherschultz.net>:
> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>>>
>>> Mark's official report to the users' list indicates that setting a
>>> "secret" for the AJP connection does the trick. (I tried this
>>> myself before digging-up his message and can confirm that the
>>> sample code fails when a "secret" is set).
>>>
>>> Should we mention this on the Security page directly for those who
>>> didn't read the announcement on the users' list?
>>
>> No reason why not. Go for it.
>
> Okay. Any idea if mod_proxy_ajp supports the shared secret? The
> documentation is so light on actually using mod_proxy_ajp that it might
> be supported ("ProxyPass /foo ajp://bar secret=changeit"?) but
> completely undocumented in the httpd documentation.
>
> This is all I could find:
>(..)
>

I understand that the sources for that module for the current HTTPD
branch are in the following place in ASF svn:
/httpd/httpd/branches/2.2.x/modules/proxy/

The only code that mentions "secret" is in ajp_header.c there (besides
a constant declared in ajp_header.h) and it is commented out

/* XXXX need to figure out how to do this
    if (s->secret) {


There is no parameter or local variable named "s" in that method, so
it probably originates from mod_jk.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases

[Christopher Schultz <ch...@christopherschultz.net>]

Mark,

On 9/8/2011 11:47 AM, Mark Thomas wrote:
> On 08/09/2011 16:13, Christopher Schultz wrote:
>> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>>
>> Mark's official report to the users' list indicates that setting a 
>> "secret" for the AJP connection does the trick. (I tried this
>> myself before digging-up his message and can confirm that the
>> sample code fails when a "secret" is set).
>>
>> Should we mention this on the Security page directly for those who 
>> didn't read the announcement on the users' list?
> 
> No reason why not. Go for it.

Okay. Any idea if mod_proxy_ajp supports the shared secret? The
documentation is so light on actually using mod_proxy_ajp that it might
be supported ("ProxyPass /foo ajp://bar secret=changeit"?) but
completely undocumented in the httpd documentation.

This is all I could find:

http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBcQFjAA&url=http%3A%2F%2Fwww.gossamer-threads.com%2Flists%2Fapache%2Fdev%2F332363&rct=j&q=mod_proxy_ajp%20secret&ei=fCFpTtWRAuPL0QGUo-CDDA&usg=AFQjCNHOT2d5i5zlmL06G4eoMG5skYTkVw&cad=rja

Thanks,
-chris

Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases

[Mark Thomas <ma...@apache.org>]

On 08/09/2011 16:13, Christopher Schultz wrote:
> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
> 
> Mark's official report to the users' list indicates that setting a 
> "secret" for the AJP connection does the trick. (I tried this
> myself before digging-up his message and can confirm that the
> sample code fails when a "secret" is set).
> 
> Should we mention this on the Security page directly for those who 
> didn't read the announcement on the users' list?

No reason why not. Go for it.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org