You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Edward Quick <Ed...@iggroup.com> on 2011/09/02 15:12:44 UTC
Bug 51698 - ajp CPing/Forward-Request packet forgery
Hi there,
I was testing out the packet forgery example (at https://issues.apache.org/bugzilla/show_bug.cgi?id=51698)
to see if my site was vulnerable and got the following results.
I'm not sure looking at the code comments in ForwardRequestForgeryExample.java
if the output below means it's vulnerable and what exactly that exploited.
Could someone give me a hand please?
Thanks,
Ed.
C:>java -cp . ForwardRequestForgeryExample
Sending AJP Forward-Request Packet...
End
$ tail -f catalina.out
Invoke HelloWorldExample.doPost method:
-------------------------------------------
Host: my.evil-site.com
RemoteAddr: 1.2.3.4
LocalPort: 999
woo: I am here
________________________________
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44 (0)20 7896 0011) and then delete the email and any copies of it. Opinions, conclusions (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG Group Holdings plc is a company registered in England and Wales under number 01190902. VAT registration number 761 2978 07. Registered Office: Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Authorised and regulated by the Financial Services Authority. FSA Register number 114059.
Re: Bug 51698 - ajp CPing/Forward-Request packet forgery
Posted by Mark Thomas <ma...@apache.org>.
On 02/09/2011 14:33, Edward Quick wrote:
> Thanks Mark. The report says this makes (previous versions of) Apache Tomcat vulnerable to an authentication bypass and information disclosure, so I'm was just trying to understand how the example demonstrates that?
The example shows that Tomcat process an AJP message that was entirely
controlled by the attacker rather than the reverse proxy. Tomcat trusts
that information in the AJP message (authenticated user name, client IP
address, etc) are correct. If an attacker can control the AJP message
then things like authentication or filters based on client IP address
etc can all be bypassed.
Additionally, processing this extra request can cause Tomcat to start
mixing up responses to requests.
Mark
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: 02 September 2011 14:18
> To: Tomcat Users List
> Subject: Re: Bug 51698 - ajp CPing/Forward-Request packet forgery
>
> On 02/09/2011 14:12, Edward Quick wrote:
>> Hi there,
>>
>> I was testing out the packet forgery example (at https://issues.apache.org/bugzilla/show_bug.cgi?id=51698)
>> to see if my site was vulnerable and got the following results.
>> I'm not sure looking at the code comments in ForwardRequestForgeryExample.java
>> if the output below means it's vulnerable and what exactly that exploited.
>
> Yes, you are vulnerable.
>
> The attack exploits a bug in the AJP connector you have configured.
>
>> Could someone give me a hand please?
>
> See above.
>
> Mark
>
>>
>> Thanks,
>>
>> Ed.
>>
>> C:>java -cp . ForwardRequestForgeryExample
>> Sending AJP Forward-Request Packet...
>> End
>>
>> $ tail -f catalina.out
>> Invoke HelloWorldExample.doPost method:
>> -------------------------------------------
>> Host: my.evil-site.com
>> RemoteAddr: 1.2.3.4
>> LocalPort: 999
>> woo: I am here
>>
>>
>>
>>
>>
>> ________________________________
>> The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44 (0)20 7896 0011) and then delete the email and any copies of it. Opinions, conclusions (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG Group Holdings plc is a company registered in England and Wales under number 01190902. VAT registration number 761 2978 07. Registered Office: Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Authorised and regulated by the Financial Services Authority. FSA Register number 114059.
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Bug 51698 - ajp CPing/Forward-Request packet forgery
Posted by Edward Quick <Ed...@iggroup.com>.
Thanks Mark. The report says this makes (previous versions of) Apache Tomcat vulnerable to an authentication bypass and information disclosure, so I'm was just trying to understand how the example demonstrates that?
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: 02 September 2011 14:18
To: Tomcat Users List
Subject: Re: Bug 51698 - ajp CPing/Forward-Request packet forgery
On 02/09/2011 14:12, Edward Quick wrote:
> Hi there,
>
> I was testing out the packet forgery example (at https://issues.apache.org/bugzilla/show_bug.cgi?id=51698)
> to see if my site was vulnerable and got the following results.
> I'm not sure looking at the code comments in ForwardRequestForgeryExample.java
> if the output below means it's vulnerable and what exactly that exploited.
Yes, you are vulnerable.
The attack exploits a bug in the AJP connector you have configured.
> Could someone give me a hand please?
See above.
Mark
>
> Thanks,
>
> Ed.
>
> C:>java -cp . ForwardRequestForgeryExample
> Sending AJP Forward-Request Packet...
> End
>
> $ tail -f catalina.out
> Invoke HelloWorldExample.doPost method:
> -------------------------------------------
> Host: my.evil-site.com
> RemoteAddr: 1.2.3.4
> LocalPort: 999
> woo: I am here
>
>
>
>
>
> ________________________________
> The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44 (0)20 7896 0011) and then delete the email and any copies of it. Opinions, conclusions (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG Group Holdings plc is a company registered in England and Wales under number 01190902. VAT registration number 761 2978 07. Registered Office: Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Authorised and regulated by the Financial Services Authority. FSA Register number 114059.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Bug 51698 - ajp CPing/Forward-Request packet forgery
Posted by Mark Thomas <ma...@apache.org>.
On 02/09/2011 14:12, Edward Quick wrote:
> Hi there,
>
> I was testing out the packet forgery example (at https://issues.apache.org/bugzilla/show_bug.cgi?id=51698)
> to see if my site was vulnerable and got the following results.
> I'm not sure looking at the code comments in ForwardRequestForgeryExample.java
> if the output below means it's vulnerable and what exactly that exploited.
Yes, you are vulnerable.
The attack exploits a bug in the AJP connector you have configured.
> Could someone give me a hand please?
See above.
Mark
>
> Thanks,
>
> Ed.
>
> C:>java -cp . ForwardRequestForgeryExample
> Sending AJP Forward-Request Packet...
> End
>
> $ tail -f catalina.out
> Invoke HelloWorldExample.doPost method:
> -------------------------------------------
> Host: my.evil-site.com
> RemoteAddr: 1.2.3.4
> LocalPort: 999
> woo: I am here
>
>
>
>
>
> ________________________________
> The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44 (0)20 7896 0011) and then delete the email and any copies of it. Opinions, conclusions (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG Group Holdings plc is a company registered in England and Wales under number 01190902. VAT registration number 761 2978 07. Registered Office: Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Authorised and regulated by the Financial Services Authority. FSA Register number 114059.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org