|Summary:||ajp CPing/Forward-Request packet forgery, is a design decision? or a security vulnerability?|
|Product:||Tomcat 7||Reporter:||zhh <zhh200910>|
|Component:||Connectors||Assignee:||Tomcat Developers Mailing List <dev>|
ajp CPing packet forgery example
ajp Forward-Request packet forgery
Description zhh 2011-08-20 07:54:08 UTC
Created attachment 27416 [details] ajp CPing packet forgery example because the ajp "Data" packet no "CodeType" and tomcat adopts lazy-reading strategy for reading ajp "Data" packet， (i.e., if you don't invoke request.getParameter("XXX")，tomcat does't read post request "Data" packet) so，the current "Data" packet keeping in the socket inputstream， the connection is keep-alive, ajp bio/nio procesor reading the next packet， this time, is "Data" packet。 if the first byte of "Data" packet'length is 0x02(Code Type of Forward Request Packet) or 0x0A(Code Type of CPing Packet)， then tomcat will be in trouble. please see the attachments. firt example: ajp CPing packet forgery example second example: ajp Forward-Request packet forgery
Comment 1 zhh 2011-08-20 07:55:51 UTC
Created attachment 27417 [details] ajp Forward-Request packet forgery second example: ajp Forward-Request packet forgery
Comment 2 Mark Thomas 2011-08-29 19:45:57 UTC
This issue has been allocated CVE-2011-3190. The Tomcat security team strongly discourages the reporting of potential security vulnerabilities via public channels such as this issue tracker. Potential security vulnerabilities should be reported privately to email@example.com This issue has been fixed in trunk, 7.0.x, 6.0.x and 5.5.x and will be included in 7.0.21, 6.0.34 and 5.5.34 onwards.
Comment 3 Edward Quick 2011-09-02 10:35:50 UTC
Hi there, I was testing this out to see if my site was vulnerable and got the following results. I'm not sure looking at the code comments in ForwardRequestForgeryExample.java if the output below means it's vulnerable and what exactly that exploited. Could you help me out a bit please? Thanks, Ed. C:>java -cp . ForwardRequestForgeryExample Sending AJP Forward-Request Packet... End $ tail -f catalina.out Invoke HelloWorldExample.doPost method: ------------------------------------------- Host: my.evil-site.com RemoteAddr: 220.127.116.11 LocalPort: 999 woo: I am here
Comment 4 Mark Thomas 2011-09-02 10:49:16 UTC
Bugzilla is not a support forum. Please use the users mailing list.
Comment 5 Edward Quick 2011-09-02 13:04:04 UTC
Sorry about that. Will do.