You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/11/10 07:03:14 UTC

DO NOT REPLY [Bug 37439] New: - Virtual Host selection across Services?

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37439>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37439

           Summary: Virtual Host selection across Services?
           Product: Tomcat 5
           Version: 5.5.9
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: rnice@fraudscrub.com


I have a TC 5.5 fronted by Apache2/mod_jk.
Two SSL sites on different ips, one for users, one for admins. The admin one is
apache password protected. Each apache ip virtual host uses a different worker
to talk to TC on a different port in a different service. for example

<Service name="User">
 <Connector scheme="https" secure="true" address="127.0.0.1" port="10004"
debug="0" useURIValidationHack="false" protocol="AJP/1.3"/>
 <Engine name="Standalone" defaultHost="User" debug="0">
  <Host name="User" debug="0" appBase="webapps/SomethingUser" unpackWARs="false">
   <Context blahblah/>
  </Host>
 </Engine>
</Service>

<Service name="Admin">
 <Connector scheme="https" secure="true" address="127.0.0.1" port="10005"
debug="0" useURIValidationHack="false" protocol="AJP/1.3"/>
 <Engine name="Standalone" defaultHost="Admin" debug="0">
  <Host name="Admin" debug="0" appBase="webapps/SomethingAdmin" unpackWARs="false">
   <Context blahblah/>
  </Host>
 </Engine>
</Service>

The problem, and it may be intended behavior, is that if you connect to ip1 and
spoof your Host header as 'Admin', apache correctly routes the request (jk in
debug says it connects via 10004) to TC via the User worker, but then TC appears
to match the virtual host name in a different service and serves admin content
getting around Apache's password protection.
Via browsing a lot of bugs tonight I'm aware of the useIPVHost element which I
could probably use to lock each host to the host apache intended, but this can't
be intended behaviour. Can it? Across Service tags? Why would you ever need more
than one service or connector then?

Hopefully at the very least this will spur a note in the docs. if it is
intended, as this is potentially dangerous. LMK if you need anything else to
reproduce.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org