You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Rinehart, Steve C" <ri...@BATTELLE.ORG> on 2002/07/18 21:50:08 UTC
Is Tomcat affected by the Apache HTTP Server "chunked" encoding v
ulnerability?
I posted this once before but thought I'd give it one more try.
Does anyone know if the Apache HTTP Server "chunked" encoding vulnerability
in the Apache Web server is also present in Tomcat 3.2.1? See below
We are using Tomcat 3.2.1 on Windows NT 4.0 in standalone mode. We have not
specifically installed the Apache HTTP Server.
Is this vulnerability also present in Tomcat?
Apache HTTP Server Exploit in Circulation
Synopsis:
IS X-Force has learned that a functional remote Apache HTTP Server
exploit has been released. This exploit may have been in use in the
underground for some time.
.
.
.
Affected Versions:
Apache 1.3.x versions up to and including 1.3.24
Apache 2.x versions up to and including 2.0.36
.
.
.
Apache contains a flawed mechanism meant to calculate the size of
"chunked" encoding. Chunked encoding is part of the HTTP Protocol
Specification used for accepting data from Web users. When data is sent
from the user, the Web server needs to allocate a memory buffer of a
certain size to hold the submitted data. When the size of the data being
submitted is unknown, the client or Web browser will communicate with
the server by creating "chunks" of data of a negotiated size.
The Apache HTTP Server has a software flaw that misinterprets the size
of incoming data chunks. This error may lead to a stack overflow, denial
of service, and/or, the potential to execute arbitrary commands.
X-Force has verified that this issue is exploitable on Apache HTTP
Server version 1.3.24 for Windows (Win32)
.
.
.
Thanks,Steve
Information Management
Technology Group, Network Computing Systems
(614) 424-6543
mailto:rineharts@battelle.org
Thanks,Steve
Information Management
Technology Group, Network Computing Systems
(614) 424-6543
mailto:rineharts@battelle.org
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Is Tomcat affected by the Apache HTTP Server "chunked" encoding
v ulnerability?
Posted by Remy Maucherat <re...@apache.org>.
Tim Funk wrote:
> No. Java applications cannot be victim to buffer overflow errors.
That's true, and that's a big advantage of having a VM for server side
apps (as the most serious security issues are usually buffer overflows).
What actually happens when you have a "buffer overflow" in Java is you
get an AOOB exception.
Here, the funny thing is that TC 4.1 (and COyote HTTP/1.1) had a bug
very similar to the HTTPD. So using a malformed chunk as described in
the security report and used in the Goobles exploit would cause a nasty
stack trace to be printed out to the stderr (the bug has been fixed
since, and invalid chunks are now handled properly). Without the VM
sandboxing, this would have caused the same exploit than on the HTTPd.
Remy
> Rinehart, Steve C wrote:
>
>> I posted this once before but thought I'd give it one more try.
>>
>> Does anyone know if the Apache HTTP Server "chunked" encoding
>> vulnerability
>> in the Apache Web server is also present in Tomcat 3.2.1? See below
>>
>> We are using Tomcat 3.2.1 on Windows NT 4.0 in standalone mode. We
>> have not
>> specifically installed the Apache HTTP Server.
>>
>> Is this vulnerability also present in Tomcat?
>> Apache HTTP Server Exploit in Circulation
>>
>> Synopsis:
>>
>> IS X-Force has learned that a functional remote Apache HTTP Server
>> exploit has been released. This exploit may have been in use in the
>> underground for some time. .
>> .
>> .
>> Affected Versions:
>>
>> Apache 1.3.x versions up to and including 1.3.24
>> Apache 2.x versions up to and including 2.0.36
>> .
>> .
>> .
>> Apache contains a flawed mechanism meant to calculate the size of
>> "chunked" encoding. Chunked encoding is part of the HTTP Protocol
>> Specification used for accepting data from Web users. When data is sent
>> from the user, the Web server needs to allocate a memory buffer of a
>> certain size to hold the submitted data. When the size of the data being
>> submitted is unknown, the client or Web browser will communicate with
>> the server by creating "chunks" of data of a negotiated size.
>>
>> The Apache HTTP Server has a software flaw that misinterprets the size
>> of incoming data chunks. This error may lead to a stack overflow, denial
>> of service, and/or, the potential to execute arbitrary commands.
>>
>> X-Force has verified that this issue is exploitable on Apache HTTP
>> Server version 1.3.24 for Windows (Win32)
Remy
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Is Tomcat affected by the Apache HTTP Server "chunked" encoding
v ulnerability?
Posted by Tim Funk <fu...@joedog.org>.
No. Java applications cannot be victim to buffer overflow errors.
Rinehart, Steve C wrote:
> I posted this once before but thought I'd give it one more try.
>
> Does anyone know if the Apache HTTP Server "chunked" encoding vulnerability
> in the Apache Web server is also present in Tomcat 3.2.1? See below
>
> We are using Tomcat 3.2.1 on Windows NT 4.0 in standalone mode. We have not
> specifically installed the Apache HTTP Server.
>
> Is this vulnerability also present in Tomcat?
>
> Apache HTTP Server Exploit in Circulation
>
> Synopsis:
>
> IS X-Force has learned that a functional remote Apache HTTP Server
> exploit has been released. This exploit may have been in use in the
> underground for some time.
> .
> .
> .
> Affected Versions:
>
> Apache 1.3.x versions up to and including 1.3.24
> Apache 2.x versions up to and including 2.0.36
> .
> .
> .
> Apache contains a flawed mechanism meant to calculate the size of
> "chunked" encoding. Chunked encoding is part of the HTTP Protocol
> Specification used for accepting data from Web users. When data is sent
> from the user, the Web server needs to allocate a memory buffer of a
> certain size to hold the submitted data. When the size of the data being
> submitted is unknown, the client or Web browser will communicate with
> the server by creating "chunks" of data of a negotiated size.
>
> The Apache HTTP Server has a software flaw that misinterprets the size
> of incoming data chunks. This error may lead to a stack overflow, denial
> of service, and/or, the potential to execute arbitrary commands.
>
> X-Force has verified that this issue is exploitable on Apache HTTP
> Server version 1.3.24 for Windows (Win32)
> .
> .
> .
>
>
> Thanks,Steve
> Information Management
> Technology Group, Network Computing Systems
> (614) 424-6543
> mailto:rineharts@battelle.org
>
>
>
>
>
> Thanks,Steve
> Information Management
> Technology Group, Network Computing Systems
> (614) 424-6543
> mailto:rineharts@battelle.org
>
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>