using the latest JDK and JRE.
We suspect this is an issue with Tomcats classloader.
Any suggestions?
Jim Manico
VP Software Engineering
CodeMagi, Inc.
808-652-3805 cell
801-606-7888 fax
[EMAIL PROTECTED]
tly appreciated.
Best,
Jim Manico
I would like to add HTTPOnly support to the tomcat session handler
I added a bugzilla item
http://issues.apache.org/bugzilla/show_bug.cgi?id=44382
Thoughts would be greatly apprecited
Jim Manico, Senior Application Security Engineer
<mailto:[EMAIL PROTECTED]>
> response.addCookie(new Cookie("test_cookie3", "123===")) looks like
something which should be working.
Honestly, this is not user driven - it's only server programmer driven.
I would dare to say this is either absolutely horrible server side
programming or a possible attempt at a hack/atta
Filip,
Would you consider auto-encoding only = and ; in the cookie value, but
leaving everything else alone for v0 cookies? Would this possibly pass TCK?
- Jim
no regression, if you do this
c = new javax.servlet.http.Cookie("abcv1","123==");
c.setVersion(1);
response.addCookie(c);
then i
What about making
//cookies v0
c = new javax.servlet.http.Cookie("abcv0","123==");
response.addCookie(c);
At least throw some kind of malformedCookieData exception instead of
just "failing gracefully" to accelerate programmers ability to upgrade
legacy systems?
- Jim
On Sat, 2008-02-09 at
> I guess we could throw a run time exception if the value contained
any of those. other than that, I'm not sure how to behave
I think this is the best case scenario for v0 cookies. Perhaps, if you
really want to get fancy, you can add a flag to let legacy solutions
roll back to the old/non-st
solution.
- Jim
Jim Manico wrote:
> I guess we could throw a run time exception if the value contained
any of those. other than that, I'm not sure how to behave
I think this is the best case scenario for v0 cookies. Perhaps, if
you really want to get fancy, you can add a flag to let l
such as reflective XSS due to poor
input validation. Low risk as Filip saz, but a security problem
none-the-less.
- Jim
Filip Hanik - Dev Lists wrote:
Jim Manico wrote:
> I guess we could throw a run time exception if the value contained
any of those. other than that, I'm not sure how to
Filip - you are 100% correct on this thread. Are you basically the
traffic cop guarding the core of Tomcat?
- Jim
Mark Thomas wrote:
Remy Maucherat wrote:
Filip Hanik - Dev Lists wrote:
Jim Manico wrote:
> I guess we could throw a run time exception if the value
contained any of th
That post was meant to go to Filip only, since he is an old friend. I
was not trying to poke fun at your perspective on this public list,
Remy. I'm going exit stage left and stop adding my thoughts to this thread.
My apologies.
- Jim
On Sun, 2008-02-10 at 11:44 -0500, Jim Manico
Remy,
I think it would serve you to review the proposed Apache code of conduct
at http://wiki.apache.org/incubator/CodeOfConduct
*Motto*
*Core Value*
* Put community before code. *
* collaboration *
Let they that do the work make the decisions.
self-determina
Gentlemen,
I'd like to make a suggestion to add HTTPOnly support to Tomcat 5.5 (for
starters). This is a significant security enhancement that will assist
in preventing XSS attacks.
http://msdn2.microsoft.com/en-us/library/ms533046.aspx
Since the javax core is a "sacred" portion of the codeb
Rely,
This is not a ms hack, but a security enhancement supported by all
browsers. Do some research and get back to us.
Jim
On Mar 10, 2008, at 5:33 AM, Remy Maucherat <[EMAIL PROTECTED]> wrote:
On Sun, 2008-03-09 at 19:56 -0700, Filip Hanik - Dev Lists wrote:
haven't forgotten about you,
Remy,
I recommend more careful research on this topic.
IE 6+ supports HttpOnly
FireFox 2.0.0.6+ support HttpOnly
Opera 9.5+ has promised HttpOnly support
Safari is still considering
On Mon, 2008-03-10 at 08:16 -0400, Jim Manico wrote:
Rely,
This is not a ms hack, but a security
According to Daniel Stenberg, Cookies are not even *mentioned* in RFC2616
Per http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0623.html
"On Tue, 18 Mar 2008, Jim Manico wrote:
> Are there any efforts underway to support the HttpOnly cookie directive
> within any version
Right, but are there any active cookie standards that can be amended?
7 /12 year old standards are not very valid or useful in the fast-moving
internut world.
- Jim
The standard is only 7 1/2 years old;
http://www.ietf.org/rfc/rfc2965
Jim Manico wrote:
According to Daniel Stenberg, Cookies
I'm continuing to do a security review of Tomcat 5.5 for my company. I
noticed that linefeeds get ripped out of header values which stops
header injection attacks cold. Whoever did this, I commend you. Many
other containers do not. You Rock.
Can anyone point me to the code that does this?
Bes
Thank you very much, Mark and Filip.
- Jim
Jim Manico wrote:
I'm continuing to do a security review of Tomcat 5.5 for my company.
I noticed that linefeeds get ripped out of header values which stops
header injection attacks cold. Whoever did this, I commend you. Many
other containers d
consideration would be greatly appreciated. Please at least
review before you jump down my throat, Remy! :)
Best,
Jim Manico
[EMAIL PROTECTED]
Senior Application Security Engineer
Aspect Security / OWASP.org
-
To unsubscribe
Gentlemen,
As a blatant bribery attempt - I live and work on the island of Kauai in
Hawaii.
Whomever commits this
*https://issues.apache.org/bugzilla/show_bug.cgi?id=44382*
Will win a free stay in my guest house. :) Food included. Zip code
96703, <5 minutes from the beach.
=D
--
Tequila, tents, food and wireless access provided!!! Tomcat coding party
at Jim's house!
nice, since we work RTC (Review-Then-Commit) you're gonna have to extend
this invitation to everyone who votes for the patch's inclusion :)
Lol
Filip
Beer provided ?
PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico
Senior Application Security Engineer
Aspect Security
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
ing party via wireless *just found* that this
is invalid, told him personally, and then revoke the commit again.!
cheers, Guen.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
ea waht might be the problem where to look. Why the Service keeps
working as long as I keep calling but stops working if I call after couple
of hours. Is there
any settings I need to make on Tomcat as I am new to Tomcat so have no idea
where to look.
Any help is appreciated.
Thanks
Remy - please consider the Apache guidelines about being respectful on the
public lists.
Key word: please.
- Jim
-Original Message-
From: Remy Maucherat <[EMAIL PROTECTED]>
Sent: Wednesday, April 23, 2008 7:35 AM
To: Tomcat Developers List
Subject: Re: Osgifing Tomcat
On Tue, 2008-04-
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
Hi devs,
I've been investigating Apache Tomcat within my Bach
research, the Fortify Tomcat report might be a little interesting.
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
Jim
(like I just need to pass an audit and I don't
really care about security)
- Jim
Mark Thomas wrote:
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat
codebase on a regular basis.
This probably only gives you 10% security coverage at best, but it's
be, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the sou
than just the
narrow-scope technical problem. If you're using the words this guy is
using -- something is wrong with your findings:
·"Perhaps"
·"Could"
·"Presumably"
·"What if"
·"Bug-prone if"
-
My understanding is that crlf breaks the rfc and leads to http response
splitting attacks.
-Original Message-
From: [EMAIL PROTECTED]
Sent: Tuesday, June 10, 2008 11:50 AM
To: [EMAIL PROTECTED]
Subject: DO NOT REPLY [Bug 45180] New: CRLF Newline characters stripped from
header values
ht
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
r scripts better.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-380
and
provide a patch.
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.asp
ation,Queue)
---
Jens Kapitza
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301
This is a worthwhile post to read regarding path traversal attacks
against tomcat.
http://www.0x00.com/?i=630
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications
I can feel the love. Thanks for your constructive comment, William.
- Jim
Jim Manico wrote:
This is a worthwhile post to read regarding path traversal attacks
against tomcat.
http://www.0x00.com/?i=630
Worthwhile? To note the community frustration against Tomcat parsers?
Must be what
The books have arrived - we are all set!
-Original Message-
From: [EMAIL PROTECTED]
Sent: Thursday, September 25, 2008 11:41 AM
To: dev@tomcat.apache.org
Subject: svn commit: r699015 - /tomcat/current/tc4.1.x/STATUS.txt
Author: rjung
Date: Thu Sep 25 09:41:36 2008
New Revision: 699015
UR
Findbugs does a real bad job of findings real security bugs - I would
recommend running the codebase against Fortify + include the new Cigital
rulepack.
Or take a look at the results of the Fortify Open Source Analysis project
https://opensource.fortify.com/teamserver/welcome.fhtml
- Jim
Jus
t: Saturday, September 27, 2008 5:58 AM
To: Tomcat Developers List
Subject: Re: Findbugs results when run against Tomcat6
Jim Manico wrote:
> Findbugs does a real bad job of findings real security bugs - I would
> recommend running the codebase against Fortify + include the new Cigital
&g
Best Regards,
Jim Manico
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Great, Mark,
I'll add this as a bug and take it on.
- Jim
> Jim Manico wrote:
>
>> URL Rewriting is consider to be a significant security risk (session
>> ID's get exposed in browser history, bookmarks, proxy servers and other
>> server-side application lo
Mark,
I for one an thrilled to see HTTPOnly support for Session Cookies in Tomcat
6.0 get close to fruition.
My oinion is that I think that session cookies should not be tagged as
HTTPOnly for Tomcat 6 by default. (Of course configuration should allow for
turning this on).
I worry that it'
44 matches
Mail list logo
