https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
Bug #: 51698
Summary: ajp CPing/Forward-Request packet forgery, is a design
decision? or a security vulnerability?
Product: Tomcat 7
Version: 7.0.20
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
AssignedTo: dev@tomcat.apache.org
ReportedBy: zhh200...@gmail.com
Classification: Unclassified
Created attachment 27416
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27416
ajp CPing packet forgery example
because the ajp "Data" packet no "CodeType"
and tomcat adopts lazy-reading strategy for reading ajp "Data" packet,
(i.e., if you don't invoke request.getParameter("XXX"),tomcat does't read post
request "Data" packet)
so,the current "Data" packet keeping in the socket inputstream,
the connection is keep-alive, ajp bio/nio procesor reading the next packet,
this time, is "Data" packet。
if the first byte of "Data" packet'length is 0x02(Code Type of Forward Request
Packet) or 0x0A(Code Type of CPing Packet),
then tomcat will be in trouble.
please see the attachments.
firt example: ajp CPing packet forgery example
second example: ajp Forward-Request packet forgery
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
