DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=37439>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37439 Summary: Virtual Host selection across Services? Product: Tomcat 5 Version: 5.5.9 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Unknown AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] I have a TC 5.5 fronted by Apache2/mod_jk. Two SSL sites on different ips, one for users, one for admins. The admin one is apache password protected. Each apache ip virtual host uses a different worker to talk to TC on a different port in a different service. for example <Service name="User"> <Connector scheme="https" secure="true" address="127.0.0.1" port="10004" debug="0" useURIValidationHack="false" protocol="AJP/1.3"/> <Engine name="Standalone" defaultHost="User" debug="0"> <Host name="User" debug="0" appBase="webapps/SomethingUser" unpackWARs="false"> <Context blahblah/> </Host> </Engine> </Service> <Service name="Admin"> <Connector scheme="https" secure="true" address="127.0.0.1" port="10005" debug="0" useURIValidationHack="false" protocol="AJP/1.3"/> <Engine name="Standalone" defaultHost="Admin" debug="0"> <Host name="Admin" debug="0" appBase="webapps/SomethingAdmin" unpackWARs="false"> <Context blahblah/> </Host> </Engine> </Service> The problem, and it may be intended behavior, is that if you connect to ip1 and spoof your Host header as 'Admin', apache correctly routes the request (jk in debug says it connects via 10004) to TC via the User worker, but then TC appears to match the virtual host name in a different service and serves admin content getting around Apache's password protection. Via browsing a lot of bugs tonight I'm aware of the useIPVHost element which I could probably use to lock each host to the host apache intended, but this can't be intended behaviour. Can it? Across Service tags? Why would you ever need more than one service or connector then? Hopefully at the very least this will spur a note in the docs. if it is intended, as this is potentially dangerous. LMK if you need anything else to reproduce. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
