AW: Is Tomcat affected by the Apache HTTP Server "chunked" encodingv ulnerability?

[Ralph Einfeldt <ra...@uptime-isc.de>]

I think that is not completely right.

- As the VM is written in C or C++ and uses some native libraries
  it always possible that there is a buffer overflow error in that
  part.

  It's just not possible to create new buffer overflow errors wihout
  using native code, but code you write might induce a overflow error 
  in the undelying vm. 

- The apache problem report contains two possible problems:
  - Excution of arbitrary commands
    With java it's much harder to use a overflow error to do
    this, as you have hardly control about the memory. (I'm not 
    shure enough to say that is impossible to exploit it)
  - Denial of service
    This can always happen in one or the other way. (Find a bug in 
    tomcat that produces stacktraces or part of tomcat that exposes
    a vm error (sometimes it's quite easy to crash vm's), hammer the 
    site with requests that produce this error.)

> -----Ursprüngliche Nachricht-----
> Von: Tim Funk [mailto:funkman@joedog.org]
> Gesendet: Donnerstag, 18. Juli 2002 22:10
> An: Tomcat Users List
> Betreff: Re: Is Tomcat affected by the Apache HTTP Server "chunked"
> encodingv ulnerability?
> 
> 
> No. Java applications cannot be victim to buffer overflow errors.
> 

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>