You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/08/09 13:57:41 UTC
DO NOT REPLY [Bug 30539] New: -
possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30539>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30539
possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number
Summary: possible security hole: mod_jk2 bypassed when client
issues Host: header with an invalid port number
Product: Tomcat 5
Version: 5.0.24
Platform: Other
OS/Version: Linux
Status: NEW
Severity: Major
Priority: Other
Component: Connector:AJP
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: aleksander.adamowski.apache@altkom.pl
I have a specific mod_jk2 2.0.4 configuration which maps 2 different port
numbers (running different Apache 2.0.49 virtual hosts) to 2 different Tomcat
5.0.24 services.
I managed to do this by using the following workers2.properties configuration (I
provide relevant directives only):
--- BEGIN SNIP ---
[ajp13:localhost:8009]
channel=channel.socket:localhost:8009
group=ajp13:localhost:8009
[ajp13:localhost:8010]
channel=channel.socket:localhost:8010
group=ajp13:localhost:8010
[channel.socket:localhost:8009]
port=8009
host=localhost
group=ajp13:localhost:8009
[channel.socket:localhost:8010]
port=8010
host=localhost
group=ajp13:localhost:8010
# URI mappings
[uri:*:80/*.jsp]
group=ajp13:localhost:8009
[uri:*:443/*.jsp]
group=ajp13:localhost:8009
# mapping from the second Apache virtual host (running on secret port XXXX)
# to the second Tomcat service:
[uri:*:XXXX/*.jsp]
group=ajp13:localhost:8010
--- END SNIP ---
This configuration works fine, but there's a security problem we've recently
discovered that I suspect to be the mod_jk2's fault:
If a HTTP client requests a JSP page and supplies a "Host:" HTTP header, and
provides a port there, and the port is not valid (that is, it's not 80, 443, or
XXXX), then Apache spills out the JSP file's source instead of putting it
through mod_jk2 to be serviced by Tomcat!
This can be easily reproduced with livehttpheaders extension for Mozilla.
Steps to reproduce:
1) install the livehttpheaders extension in Mozilla:
http://livehttpheaders.mozdev.org/
2) open the livehttpheaders window (Tools->Web Development->Live HTTP Headers)
3) load a JSP page from Apache, it should display normally
4) select the URL line over "GET XXXX.jsp" line in the livehttpheaders window
5) click "Replay..."
6) change the "Host:" header to use an invalid port number, e.g. "Host:
www.example.com:1234"
7) click "Replay" - In my case, I received the source of JSP page (as text/plain).
I've tried remedying the problem by supplying additional "catch-all" URI
mappings at the end of workers2.properties, using various patterns:
"[uri:*.jsp]", or "[uri:*:*.jsp]", but none of them has helped - it seemed that
Apache was just bypassing mod_jk2 and _ANY_ URI mappings when the Host header
contained an invalid port.
So as a temporary workaround I've prepared the following access control
mechanism in Apache:
--- BEGIN SNIP ---
# If the "Host:" header specifies a port, deny access to JSP files by setting a
custom env variable:
SetEnvIfNoCase Host \: HOST_PORT_DENIED=yes
# The ports 80, 443 and XXXX are valid, unset the custom env variable for them:
SetEnvIfNoCase Host \:80$ !HOST_PORT_DENIED
SetEnvIfNoCase Host \:443$ !HOST_PORT_DENIED
SetEnvIfNoCase Host \:XXXX$ !HOST_PORT_DENIED
# deny access to JSP based on custom env variable presence:
<Files "*.jsp">
Order Allow,Deny
Allow from all
Deny from env=HOST_PORT_DENIED
</Files>
--- END SNIP ---
This, however, is only a workaround. Ideally, requests with "Host:" header
specifying a port on which Apache doesn't listen, should be denied (IMHO), or at
least passed through mod_jk2 and its URI mappings.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org