AW: AW: FileUpload class not working with Tomcat 10.1

2023-11-13 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello Mark, > -Ursprüngliche Nachricht- > Von: Mark Foley > Gesendet: Montag, 13. November 2023 23:12 > An: users@tomcat.apache.org > Betreff: Re: AW: FileUpload class not working with Tomcat 10.1 > > On Mon Nov 13 02:18:49 2023 "Thomas Hoffmann (Speed4Trade GmbH)" > wrote: > > Hello,

Re: Is the HTTP/2 Rapid Reset Exploit still possible on 2.4.58?

2023-11-13 Thread Dan McLaughlin
Yep, wrong list. Sorry. On Mon, Nov 13, 2023 at 4:37 PM Chuck Caldarale wrote: > You may have the wrong mailing list - this one is for Tomcat, but your > query seems to be solely about Apache httpd. > > - Chuck > > > > > On Nov 13, 2023, at 16:03, Dan McLaughlin > wrote: > > > > In the past

Re: CredentialHandler not working for MD5

2023-11-13 Thread Peter Otto
More info…. In the Request Header-> Authorization->Response. Response is used as the clientDigest. However this response is generated, it is incorrect. Need to understand where Tomcat generates this Response because it is used for comparison of the serverDigest. And if the server digest eq

Re: Is the HTTP/2 Rapid Reset Exploit still possible on 2.4.58?

2023-11-13 Thread Chuck Caldarale
You may have the wrong mailing list - this one is for Tomcat, but your query seems to be solely about Apache httpd. - Chuck > On Nov 13, 2023, at 16:03, Dan McLaughlin wrote: > > In the past several weeks, we've been dealing with what seems to be a > denial of service attack against our si

Re: AW: FileUpload class not working with Tomcat 10.1

2023-11-13 Thread Mark Foley
On Mon Nov 13 02:18:49 2023 "Thomas Hoffmann (Speed4Trade GmbH)" wrote: > Hello, > > > -Ursprüngliche Nachricht- > > Von: Mark Foley > > Gesendet: Sonntag, 12. November 2023 19:04 > > An: users@tomcat.apache.org > > Betreff: Re: FileUpload class not working with Tomcat 10.1 > > > > On F

Is the HTTP/2 Rapid Reset Exploit still possible on 2.4.58?

2023-11-13 Thread Dan McLaughlin
In the past several weeks, we've been dealing with what seems to be a denial of service attack against our site. We were seeing similar messages in our logs before Apache became unresponsive. I contributed it to the HTTP/2 Rapid Reset Exploit because we ran 2.4.57 then. Last week, I upgraded to 2

Re: CredentialHandler not working for MD5

2023-11-13 Thread Peter Otto
Chris, Running the debugger, I found out the DigestAuthenticator wants to use SHA-256. 8 months ago there was a change for RFC 7616. https://github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java To bypass the array of digest, I commented out some

Re: Tomcat 10.1.15 JVM crashes randomly on startup

2023-11-13 Thread Mark Thomas
On 13/11/2023 07:52, Øyvind Flatval wrote: Greetings! We are currently experiencing a very vague problem with our Tomcat 10.1 instance, where the JVM will crash almost instantly after Tomcat is done starting up. The problem happens somewhat regularly, and only happens within the first minute