Re: cvs commit: jakarta-tomcat-connectors/jk/xdocs/jk workershowto.xml

["Jerome Lacoste (Frisurf)" <la...@frisurf.no>]

>                         const char *wname) {
>   +    int rc = JK_TRUE;
>   +    char buf[1024];
>   +    if (m && wname) {
>   +        int value;
>   +        sprintf(buf, "%s.%s.%s", PREFIX_OF_WORKER, wname, STICKY_SESSION);

Seeing that checkin I got curious and I had a look at the code. 
I saw that this sprintf is used a lot in that way. Was wondering if
there was a way to pass some parameters to overflow the buffer.
Especially if the name comes from a property read from a file. I didn't
see any special protection checking the length of the parameters, wname
in that case.

Am I wrong?

J.




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: cvs commit: jakarta-tomcat-connectors/jk/xdocs/jk workershowto.xml

["Jerome Lacoste (Frisurf)" <la...@frisurf.no>]

On Fri, 2003-01-03 at 12:52, Tim Funk wrote:
> wname is the worker name. This name is the name of the worker as defined 
> in the JK property config file. Eg:
> 
> worker.tomcat1.host=localhost
>         ^^^^^^^
> 
> For example above: tomcat1 is the worker name.
> 
> If someone were to attempt a buffer overflow, they would need write 
> access to the Jk config file. (Then have enough permission/patience 
> until apache is restarted).

That's what I was thinking of. Bad permissions on the file can create a
risk. It is not likely, but that is one way of getting bigger
privileges. Of course that would mean the admin runs tomcat as root in
order to be exploitable.

> I do not think this is a problem (except for the admin of the box).

OK.


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: cvs commit: jakarta-tomcat-connectors/jk/xdocs/jk workershowto.xml

[Tim Funk <fu...@joedog.org>]

wname is the worker name. This name is the name of the worker as defined 
in the JK property config file. Eg:

worker.tomcat1.host=localhost
        ^^^^^^^

For example above: tomcat1 is the worker name.

If someone were to attempt a buffer overflow, they would need write 
access to the Jk config file. (Then have enough permission/patience 
until apache is restarted).

I do not think this is a problem (except for the admin of the box).

-Tim


Jerome Lacoste (Frisurf) wrote:
>>                        const char *wname) {
>>  +    int rc = JK_TRUE;
>>  +    char buf[1024];
>>  +    if (m && wname) {
>>  +        int value;
>>  +        sprintf(buf, "%s.%s.%s", PREFIX_OF_WORKER, wname, STICKY_SESSION);
> 
> 
> Seeing that checkin I got curious and I had a look at the code. 
> I saw that this sprintf is used a lot in that way. Was wondering if
> there was a way to pass some parameters to overflow the buffer.
> Especially if the name comes from a property read from a file. I didn't
> see any special protection checking the length of the parameters, wname
> in that case.
> 
> Am I wrong?
> 
> J.
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 
> 
> 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>