Mark,
I for one an thrilled to see HTTPOnly support for Session Cookies in Tomcat
6.0 get close to fruition.
My oinion is that I think that session cookies should not be tagged as
HTTPOnly for Tomcat 6 by default. (Of course configuration should allow for
turning this on).
I worry that it'
Great, Mark,
I'll add this as a bug and take it on.
- Jim
> Jim Manico wrote:
>
>> URL Rewriting is consider to be a significant security risk (session
>> ID's get exposed in browser history, bookmarks, proxy servers and other
>> server-side application lo
Best Regards,
Jim Manico
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
t: Saturday, September 27, 2008 5:58 AM
To: Tomcat Developers List
Subject: Re: Findbugs results when run against Tomcat6
Jim Manico wrote:
> Findbugs does a real bad job of findings real security bugs - I would
> recommend running the codebase against Fortify + include the new Cigital
&g
Findbugs does a real bad job of findings real security bugs - I would
recommend running the codebase against Fortify + include the new Cigital
rulepack.
Or take a look at the results of the Fortify Open Source Analysis project
https://opensource.fortify.com/teamserver/welcome.fhtml
- Jim
Jus
The books have arrived - we are all set!
-Original Message-
From: [EMAIL PROTECTED]
Sent: Thursday, September 25, 2008 11:41 AM
To: dev@tomcat.apache.org
Subject: svn commit: r699015 - /tomcat/current/tc4.1.x/STATUS.txt
Author: rjung
Date: Thu Sep 25 09:41:36 2008
New Revision: 699015
UR
I can feel the love. Thanks for your constructive comment, William.
- Jim
Jim Manico wrote:
This is a worthwhile post to read regarding path traversal attacks
against tomcat.
http://www.0x00.com/?i=630
Worthwhile? To note the community frustration against Tomcat parsers?
Must be what
This is a worthwhile post to read regarding path traversal attacks
against tomcat.
http://www.0x00.com/?i=630
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications
ation,Queue)
---
Jens Kapitza
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301
and
provide a patch.
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.asp
r scripts better.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-380
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
My understanding is that crlf breaks the rfc and leads to http response
splitting attacks.
-Original Message-
From: [EMAIL PROTECTED]
Sent: Tuesday, June 10, 2008 11:50 AM
To: [EMAIL PROTECTED]
Subject: DO NOT REPLY [Bug 45180] New: CRLF Newline characters stripped from
header values
ht
than just the
narrow-scope technical problem. If you're using the words this guy is
using -- something is wrong with your findings:
·"Perhaps"
·"Could"
·"Presumably"
·"What if"
·"Bug-prone if"
-
be, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the sou
(like I just need to pass an audit and I don't
really care about security)
- Jim
Mark Thomas wrote:
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat
codebase on a regular basis.
This probably only gives you 10% security coverage at best, but it's
research, the Fortify Tomcat report might be a little interesting.
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
Jim
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
Hi devs,
I've been investigating Apache Tomcat within my Bach
Remy - please consider the Apache guidelines about being respectful on the
public lists.
Key word: please.
- Jim
-Original Message-
From: Remy Maucherat <[EMAIL PROTECTED]>
Sent: Wednesday, April 23, 2008 7:35 AM
To: Tomcat Developers List
Subject: Re: Osgifing Tomcat
On Tue, 2008-04-
ea waht might be the problem where to look. Why the Service keeps
working as long as I keep calling but stops working if I call after couple
of hours. Is there
any settings I need to make on Tomcat as I am new to Tomcat so have no idea
where to look.
Any help is appreciated.
Thanks
ing party via wireless *just found* that this
is invalid, told him personally, and then revoke the commit again.!
cheers, Guen.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jim Manico
Senior Application Security Engineer
Aspect Security
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Tequila, tents, food and wireless access provided!!! Tomcat coding party
at Jim's house!
nice, since we work RTC (Review-Then-Commit) you're gonna have to extend
this invitation to everyone who votes for the patch's inclusion :)
Lol
Filip
Beer provided ?
Gentlemen,
As a blatant bribery attempt - I live and work on the island of Kauai in
Hawaii.
Whomever commits this
*https://issues.apache.org/bugzilla/show_bug.cgi?id=44382*
Will win a free stay in my guest house. :) Food included. Zip code
96703, <5 minutes from the beach.
=D
--
consideration would be greatly appreciated. Please at least
review before you jump down my throat, Remy! :)
Best,
Jim Manico
[EMAIL PROTECTED]
Senior Application Security Engineer
Aspect Security / OWASP.org
-
To unsubscribe
Thank you very much, Mark and Filip.
- Jim
Jim Manico wrote:
I'm continuing to do a security review of Tomcat 5.5 for my company.
I noticed that linefeeds get ripped out of header values which stops
header injection attacks cold. Whoever did this, I commend you. Many
other containers d
I'm continuing to do a security review of Tomcat 5.5 for my company. I
noticed that linefeeds get ripped out of header values which stops
header injection attacks cold. Whoever did this, I commend you. Many
other containers do not. You Rock.
Can anyone point me to the code that does this?
Bes
Right, but are there any active cookie standards that can be amended?
7 /12 year old standards are not very valid or useful in the fast-moving
internut world.
- Jim
The standard is only 7 1/2 years old;
http://www.ietf.org/rfc/rfc2965
Jim Manico wrote:
According to Daniel Stenberg, Cookies
According to Daniel Stenberg, Cookies are not even *mentioned* in RFC2616
Per http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0623.html
"On Tue, 18 Mar 2008, Jim Manico wrote:
> Are there any efforts underway to support the HttpOnly cookie directive
> within any version
Remy,
I recommend more careful research on this topic.
IE 6+ supports HttpOnly
FireFox 2.0.0.6+ support HttpOnly
Opera 9.5+ has promised HttpOnly support
Safari is still considering
On Mon, 2008-03-10 at 08:16 -0400, Jim Manico wrote:
Rely,
This is not a ms hack, but a security
Rely,
This is not a ms hack, but a security enhancement supported by all
browsers. Do some research and get back to us.
Jim
On Mar 10, 2008, at 5:33 AM, Remy Maucherat <[EMAIL PROTECTED]> wrote:
On Sun, 2008-03-09 at 19:56 -0700, Filip Hanik - Dev Lists wrote:
haven't forgotten about you,
Gentlemen,
I'd like to make a suggestion to add HTTPOnly support to Tomcat 5.5 (for
starters). This is a significant security enhancement that will assist
in preventing XSS attacks.
http://msdn2.microsoft.com/en-us/library/ms533046.aspx
Since the javax core is a "sacred" portion of the codeb
Remy,
I think it would serve you to review the proposed Apache code of conduct
at http://wiki.apache.org/incubator/CodeOfConduct
*Motto*
*Core Value*
* Put community before code. *
* collaboration *
Let they that do the work make the decisions.
self-determina
That post was meant to go to Filip only, since he is an old friend. I
was not trying to poke fun at your perspective on this public list,
Remy. I'm going exit stage left and stop adding my thoughts to this thread.
My apologies.
- Jim
On Sun, 2008-02-10 at 11:44 -0500, Jim Manico
Filip - you are 100% correct on this thread. Are you basically the
traffic cop guarding the core of Tomcat?
- Jim
Mark Thomas wrote:
Remy Maucherat wrote:
Filip Hanik - Dev Lists wrote:
Jim Manico wrote:
> I guess we could throw a run time exception if the value
contained any of th
such as reflective XSS due to poor
input validation. Low risk as Filip saz, but a security problem
none-the-less.
- Jim
Filip Hanik - Dev Lists wrote:
Jim Manico wrote:
> I guess we could throw a run time exception if the value contained
any of those. other than that, I'm not sure how to
solution.
- Jim
Jim Manico wrote:
> I guess we could throw a run time exception if the value contained
any of those. other than that, I'm not sure how to behave
I think this is the best case scenario for v0 cookies. Perhaps, if
you really want to get fancy, you can add a flag to let l
> I guess we could throw a run time exception if the value contained
any of those. other than that, I'm not sure how to behave
I think this is the best case scenario for v0 cookies. Perhaps, if you
really want to get fancy, you can add a flag to let legacy solutions
roll back to the old/non-st
What about making
//cookies v0
c = new javax.servlet.http.Cookie("abcv0","123==");
response.addCookie(c);
At least throw some kind of malformedCookieData exception instead of
just "failing gracefully" to accelerate programmers ability to upgrade
legacy systems?
- Jim
On Sat, 2008-02-09 at
Filip,
Would you consider auto-encoding only = and ; in the cookie value, but
leaving everything else alone for v0 cookies? Would this possibly pass TCK?
- Jim
no regression, if you do this
c = new javax.servlet.http.Cookie("abcv1","123==");
c.setVersion(1);
response.addCookie(c);
then i
> response.addCookie(new Cookie("test_cookie3", "123===")) looks like
something which should be working.
Honestly, this is not user driven - it's only server programmer driven.
I would dare to say this is either absolutely horrible server side
programming or a possible attempt at a hack/atta
I would like to add HTTPOnly support to the tomcat session handler
I added a bugzilla item
http://issues.apache.org/bugzilla/show_bug.cgi?id=44382
Thoughts would be greatly apprecited
Jim Manico, Senior Application Security Engineer
<mailto:[EMAIL PROTECTED]>
tly appreciated.
Best,
Jim Manico
using the latest JDK and JRE.
We suspect this is an issue with Tomcats classloader.
Any suggestions?
Jim Manico
VP Software Engineering
CodeMagi, Inc.
808-652-3805 cell
801-606-7888 fax
[EMAIL PROTECTED]
44 matches
Mail list logo
