You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/09/02 12:35:50 UTC
DO NOT REPLY [Bug 51698] ajp CPing/Forward-Request packet forgery,
is a design decision? or a security vulnerability?
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
--- Comment #3 from Edward Quick <ed...@hotmail.com> 2011-09-02 10:35:50 UTC ---
Hi there, I was testing this out to see if my site was vulnerable and got the
following results. I'm not sure looking at the code comments in
ForwardRequestForgeryExample.java if the output below means it's vulnerable and
what exactly that exploited. Could you help me out a bit please?
Thanks,
Ed.
C:>java -cp . ForwardRequestForgeryExample
Sending AJP Forward-Request Packet...
End
$ tail -f catalina.out
Invoke HelloWorldExample.doPost method:
-------------------------------------------
Host: my.evil-site.com
RemoteAddr: 1.2.3.4
LocalPort: 999
woo: I am here
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org