You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ralph Einfeldt <ra...@uptime-isc.de> on 2002/07/19 08:11:52 UTC
AW: Is Tomcat affected by the Apache HTTP Server "chunked" encodingv ulnerability?
I think that is not completely right.
- As the VM is written in C or C++ and uses some native libraries
it always possible that there is a buffer overflow error in that
part.
It's just not possible to create new buffer overflow errors wihout
using native code, but code you write might induce a overflow error
in the undelying vm.
- The apache problem report contains two possible problems:
- Excution of arbitrary commands
With java it's much harder to use a overflow error to do
this, as you have hardly control about the memory. (I'm not
shure enough to say that is impossible to exploit it)
- Denial of service
This can always happen in one or the other way. (Find a bug in
tomcat that produces stacktraces or part of tomcat that exposes
a vm error (sometimes it's quite easy to crash vm's), hammer the
site with requests that produce this error.)
> -----Ursprüngliche Nachricht-----
> Von: Tim Funk [mailto:funkman@joedog.org]
> Gesendet: Donnerstag, 18. Juli 2002 22:10
> An: Tomcat Users List
> Betreff: Re: Is Tomcat affected by the Apache HTTP Server "chunked"
> encodingv ulnerability?
>
>
> No. Java applications cannot be victim to buffer overflow errors.
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>