You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/04/21 23:43:52 UTC
DO NOT REPLY [Bug 19202] New: -
Security checks normally run for IIS causing NullPointerException in Tomcat
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19202>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19202
Security checks normally run for IIS causing NullPointerException in Tomcat
Summary: Security checks normally run for IIS causing
NullPointerException in Tomcat
Product: Tomcat 4
Version: 4.1.12
Platform: PC
OS/Version: Windows NT/2K
Status: NEW
Severity: Normal
Priority: Other
Component: Unknown
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: greensun@usa.net
The Win2K machine is running IIS 5. However, IIS and Tomcat are NOT
connected. Only one web application exists in Tomcat and is called directly
via http://server.name:8080/WebApp.
Our network team regularly runs security tests on our servers, and noticed a
new port (8080) open after I installed Tomcat. They have included it in their
testing scheule.
Whenever they try to run certain bogus URLs it is causing Tomcat to throw an
exception. It is not crashing the server, and does not appear to be
interfering with server functionality or the web application, but nonetheless I
am seeing an exception occur in the logs.
The URLs they call that cause these exceptions include:
/scripts/..\../winnt/system32/cmd.exe
/_vti_bin/..\../winnt/system32/cmd.exe
/msadc/..\../winnt/system32/cmd.exe
(basically anything w/ a DOS backslash leading to an actual cmd.exe file)
An example exception that occurs (taken from localhost_log) is below:
2003-04-11 10:16:05 StandardContext[]: Mapping contextPath='' with
requestURI='/_vti_bin/..\../winnt/system32/cmd.exe' and
relativeURI='/_vti_bin/..\../winnt/system32/cmd.exe'
2003-04-11 10:16:05 StandardContext[]: Mapped to servlet 'default' with
servlet path '/_vti_bin/..\../winnt/system32/cmd.exe' and path info 'null' and
update=true
2003-04-11 10:16:05 default: DefaultServlet.serveResource: Serving
resource 'null' headers and data
2003-04-11 10:16:05 StandardWrapperValve[default]: Servlet.service() for
servlet default threw exception
java.lang.NullPointerException
at java.io.File.<init>(File.java:263)
at org.apache.naming.resources.FileDirContext.file
(FileDirContext.java:880)
at org.apache.naming.resources.FileDirContext.getAttributes
(FileDirContext.java:487)
at org.apache.naming.resources.BaseDirContext.getAttributes
(BaseDirContext.java:797)
at org.apache.naming.resources.ProxyDirContext.cacheLoad
(ProxyDirContext.java:1462)
at org.apache.naming.resources.ProxyDirContext.cacheLookup
(ProxyDirContext.java:1386)
at org.apache.naming.resources.ProxyDirContext.lookup
(ProxyDirContext.java:293)
at org.apache.catalina.servlets.DefaultServlet$ResourceInfo.set
(DefaultServlet.java:2267)
at org.apache.catalina.servlets.DefaultServlet$ResourceInfo.<init>
(DefaultServlet.java:2219)
at org.apache.catalina.servlets.DefaultServlet.serveResource
(DefaultServlet.java:921)
at org.apache.catalina.servlets.DefaultServlet.doGet
(DefaultServlet.java:506)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:247)
at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValve.java:260)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNex
t(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNex
t(StandardPipeline.java:643)
at org.apache.catalina.valves.CertificatesValve.invoke
(CertificatesValve.java:246)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNex
t(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContext.invoke
(StandardContext.java:2396)
at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:180)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNex
t(StandardPipeline.java:643)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke
(ErrorDispatcherValve.java:170)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNex
t(StandardPipeline.java:641)
at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:172)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNex
t(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNex
t(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service
(CoyoteAdapter.java:223)
at org.apache.coyote.http11.Http11Processor.process
(Http11Processor.java:405)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnectio
n(Http11Protocol.java:380)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt
(PoolTcpEndpoint.java:508)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run
(ThreadPool.java:533)
at java.lang.Thread.run(Thread.java:536)
If you require further information please email me: greensun@usa.net
Thanks,
-Becky
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org