-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 5/27/14, 10:03 AM, André Warnier wrote: > Mark Thomas wrote: >> On 27/05/2014 14:05, André Warnier wrote: >>> Mark Thomas wrote: >>>> CVE-2014-0099 Information Disclosure >>>> >>> ... >>> >>>> Description: The code used to parse the request content >>>> length header did not check for overflow in the result. This >>>> exposed a request smuggling vulnerability when Tomcat was >>>> located behind a reverse proxy that correctly processed the >>>> content length header. >>>> >>> I believe you, but I must admit that I don't really get what >>> the problem is, here. >> >> Sure. First of all exploiting this is not easy. >> >> The problem occurs when the content-length overflows during >> parsing. Tomcat ends up with a lower value for the content length >> than is really the case. Tomcat will, therefore, read the first >> part of the request (up to the length it thinks it is) and >> process it. Assuming keep-alive is being used, Tomcat will then >> process the remainder of the request as a new request and >> generate a response for that. >> >> Things get messy when there is a reverse proxy in the mix that >> correctly processes the content length. >> >> What ends up happening is this. >> >> User A sends request A to proxy. Proxy sends request A to >> Tomcat. Tomcat process the first part of request A and sends >> response A1 to the proxy. The proxy sends response A1 to user A. >> User B sends request B to proxy. Proxy sends request B to Tomcat >> (using the same connection as for request A) Tomcat processes the >> remainder of request A and sends response A2 to the proxy Proxy >> sends response A2 to user B. >> >> And you end up with all future responses on that connection going >> to the wrong user until (which will probably happen fairly soon) >> Tomcat or the proxy get to a point they realise something is >> wrong and close the connection. >> >> How much deliberate, targeted harm you can do depends a lot on >> the application. It is certainly easy to trigger response mix-up >> and - for example on a banking site - that would be bad even if >> that was all you could do. >> > > Thank you for the limpid explanation. Yes, difficult to take > advantage of, but certainly confusing for user B, to get something > he didn't ask for.. Some of my best English vocabulary comes from Belgians. And waffles. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJThNhhAAoJEBzwKT+lPKRY7pgP/iXdPHcHbUfB33CcR3cwtXsQ d6poIuOtPWzNqPJrfGvu20A2L5TRtw9AHx8TQCL6tGY3BuDOgKSOxEbtWGr0E8Gq b1ipr8oc6ZrFvffiHfgew1QPLY4/FJC7rSjf/koV6iRsYLciGmN/DxRlmbsgqUj2 uYQtv6PhYTKOwijQ/rGxb3GjmqMP5yiXTz3YAkWb/2adHg3+luXNNxpr0Ar1snFY OZLipS6YTmyQQl5QFgATuK4KbWQ2XcgRmtM8ldbKMWO2DMbyEGWOq3zzC8pVIJ+x WdsOebnj2nGaXxewi5RtJ6M/HiJdE4mIv6vT5E9O0TJJFwgl+l5i30AkSSGyr3CM t5oZQ76Zu8TrHXev7WDOBrAAuxacngbafxVbKimBpJcXnoeh07yOThXug71TReAx oUncKGvCHYG7rGMYOJ2Cshs+IhhqJCTRiff6InzkFKSl1E+FKM+iVoZXGv0JP8KP zPe18lWjbKTMd68x24HFNrylyVPEbc2MyG4cUJQ5Dw+r9NCKxzha/K+yxh6gAPQl KAiHyXeJfkGmr7uD4bhyywcjWi05QKLZkyQlvhanQ1N3442luJSj+KLTkybPA0Nx FZBlGdYF9ZGWNiK1qkvvwZqH/TKFxNOzl0yaAF7It7rnEsCKJs8DDX/QK5QuaUAX SBZqArXqomy3tWJ29VnI =fZQ0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
