60745 – False positive: Somebody try to hack into the site!!!

Bug 60745 - False positive: Somebody try to hack into the site!!!

Summary: False positive: Somebody try to hack into the site!!!

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat Connectors
Classification:	Unclassified
Component:	isapi (show other bugs)
Version:	1.2.42
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-02-18 19:56 UTC by Arild Røkenes
Modified:	2018-08-21 14:40 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arild Røkenes 2017-02-18 19:56:20 UTC

This seems to be a recurring event in different versions.
It has earlier occurred in 1.2.32 ref https://bz.apache.org/bugzilla/show_bug.cgi?id=51769

Error Message
[2996:3812] [emerg] handle_notify_event::jk_isapi_plugin.c (1903): [/sm/dv/META-INF/services/org.apache.xerces.xni.parser.XMLParserConfiguration] points to the web-inf or meta-inf directory. Somebody tries to hack into the site!!!

Running on Windows Server 2012 R2 x64 with 64bit isapi filter.
IIS version 8.5.9600.16384

It seems to break the users connection making it impossible for user to reach the site until isapi filter has been reloaded.

Comment 1 Mark Thomas 2018-08-21 10:59:55 UTC

I can confirm that the false positive is still present however I can't recreate the issue of the user being blocked until the filter is reloaded.

Comment 2 Mark Thomas 2018-08-21 14:40:30 UTC

This has been fixed in 1.2.x for 1.2.44 onwards.

The check has essentially been removed from the ISAPI code as a) Tomcat performs the check any way and b) ISAPI can't perform the check correctly without knowledge of the current context path which it does not have.