You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Jerome Lacoste (Frisurf)" <la...@frisurf.no> on 2003/01/03 11:05:48 UTC
Re: cvs commit: jakarta-tomcat-connectors/jk/xdocs/jk
workershowto.xml
> const char *wname) {
> + int rc = JK_TRUE;
> + char buf[1024];
> + if (m && wname) {
> + int value;
> + sprintf(buf, "%s.%s.%s", PREFIX_OF_WORKER, wname, STICKY_SESSION);
Seeing that checkin I got curious and I had a look at the code.
I saw that this sprintf is used a lot in that way. Was wondering if
there was a way to pass some parameters to overflow the buffer.
Especially if the name comes from a property read from a file. I didn't
see any special protection checking the length of the parameters, wname
in that case.
Am I wrong?
J.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: cvs commit:
jakarta-tomcat-connectors/jk/xdocs/jk workershowto.xml
Posted by "Jerome Lacoste (Frisurf)" <la...@frisurf.no>.
On Fri, 2003-01-03 at 12:52, Tim Funk wrote:
> wname is the worker name. This name is the name of the worker as defined
> in the JK property config file. Eg:
>
> worker.tomcat1.host=localhost
> ^^^^^^^
>
> For example above: tomcat1 is the worker name.
>
> If someone were to attempt a buffer overflow, they would need write
> access to the Jk config file. (Then have enough permission/patience
> until apache is restarted).
That's what I was thinking of. Bad permissions on the file can create a
risk. It is not likely, but that is one way of getting bigger
privileges. Of course that would mean the admin runs tomcat as root in
order to be exploitable.
> I do not think this is a problem (except for the admin of the box).
OK.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: cvs commit: jakarta-tomcat-connectors/jk/xdocs/jk workershowto.xml
Posted by Tim Funk <fu...@joedog.org>.
wname is the worker name. This name is the name of the worker as defined
in the JK property config file. Eg:
worker.tomcat1.host=localhost
^^^^^^^
For example above: tomcat1 is the worker name.
If someone were to attempt a buffer overflow, they would need write
access to the Jk config file. (Then have enough permission/patience
until apache is restarted).
I do not think this is a problem (except for the admin of the box).
-Tim
Jerome Lacoste (Frisurf) wrote:
>> const char *wname) {
>> + int rc = JK_TRUE;
>> + char buf[1024];
>> + if (m && wname) {
>> + int value;
>> + sprintf(buf, "%s.%s.%s", PREFIX_OF_WORKER, wname, STICKY_SESSION);
>
>
> Seeing that checkin I got curious and I had a look at the code.
> I saw that this sprintf is used a lot in that way. Was wondering if
> there was a way to pass some parameters to overflow the buffer.
> Especially if the name comes from a property read from a file. I didn't
> see any special protection checking the length of the parameters, wname
> in that case.
>
> Am I wrong?
>
> J.
>
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>