On Tue, 21 Aug 2001 09:47:33 -0500, you wrote:
>The problem is that Apache is serving the file and not forwarding the
>request to Tomcat. Tomcat would *not* return the JSP contents for this URL,
>it would return a 404 error.
Yes, it could be but...
>I've heard this same problem from another user who is also using Apache
>1.3.20. I can't duplicate the problem using Apache 1.3.19 so maybe
>something changed in the latest version of Apache.
Are you using mod_jserv instead of mod_jk? I have another server with
similar Apache setup (and same version: 1.3.20) but using mod_jserv
(instead of mod_jk). This time the bug couldn't be reproduced. I also
noticed that Apache/Tomcat changes URL replacing the \ char by a /. I
mean, if I enter "http://www.foo.com/\bar/home.jsp"; on browser then it
is automatically changed to "http://www.foo.com//bar/home.jsp"; and 404
error is returned.
Who is doing such replacement? Apache or Tomcat? Perhaps it could be
the trace that confirms who is serving the .jsp source.
Some data:
This is the mod_jserv machine (apparently not vulnerable):
Server version: Apache/1.3.20 (Unix)
Server built: Jul 4 2001 19:52:43
Server's Module Magic Number: 19990320:10
Server compiled with....
-D EAPI
-D HAVE_MMAP
-D HAVE_SHMGET
-D USE_SHMGET_SCOREBOARD
-D USE_MMAP_FILES
-D USE_SYSVSEM_SERIALIZED_ACCEPT
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D HTTPD_ROOT="/usr/local/apacheJSP"
-D SUEXEC_BIN="/usr/local/apacheJSP/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
-D DEFAULT_LOCKFILE="logs/httpd.lock"
-D DEFAULT_XFERLOG="logs/access_log"
-D DEFAULT_ERRORLOG="logs/error_log"
-D TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
-D ACCESS_CONFIG_FILE="conf/access.conf"
-D RESOURCE_CONFIG_FILE="conf/srm.conf"
This is the mod_jk machine (*vulnerable*):
Server version: Apache/1.3.20 (Unix)
Server built: Jul 10 2001 18:04:44
Server's Module Magic Number: 19990320:10
Server compiled with....
-D EAPI
-D HAVE_MMAP
-D HAVE_SHMGET
-D USE_SHMGET_SCOREBOARD
-D USE_MMAP_FILES
-D USE_SYSVSEM_SERIALIZED_ACCEPT
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D HTTPD_ROOT="/usr/local/apache"
-D SUEXEC_BIN="/usr/local/apache/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
-D DEFAULT_LOCKFILE="logs/httpd.lock"
-D DEFAULT_XFERLOG="logs/access_log"
-D DEFAULT_ERRORLOG="logs/error_log"
-D TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
-D ACCESS_CONFIG_FILE="conf/access.conf"
-D RESOURCE_CONFIG_FILE="conf/srm.conf"
>I'd go back to Apache 1.3.19 and see if that fixes the problem. Another
>solution is to add the following line to your mod_jk.conf file
>
>JkMount /bar/* ajp13
This doesn't solve the problem because the \ trick is performed
before /bar. Since I'm requesting bar.jsp, it would equally match
/bar/*.jsp as well as /bar/*.
Any ideas? TIA
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
** RoMaN SoFt / LLFB **
[EMAIL PROTECTED]
http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
