How to reproduce tomcat security vulnerabilities

Tue, 21 Sep 2010 19:14:01 -0700 

Hi,
>From tomcat 6.0.28 fix list:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28,
there are two security vulnerabilities fixed, but i have no idea how to
trigger these flaws in tomcat 6.0.27 and what's the failure should be after
several trial
for example the first one:*Remote Denial Of Service and Information
Disclosure Vulnerability
I created a client sending a POST request whose Transfer-encoding is
"unsupported" to a servlet,  the servlet will return
"Server returned HTTP response code: 501", is this the failure symptom?Here
is my client:
URL url = new URL("http://localhost:8080/SecurityTomcat/SecurityServlet";);
            URLConnection connection = url.openConnection();
            ((HttpURLConnection) connection).setRequestMethod("POST");
            connection.setDoOutput(true);
            connection.setDoInput(true); // Only if you expect to read a
response...
            connection.setUseCaches(false); // Highly recommended...
            connection.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded");
            //connection.setRequestProperty("Transfer-Encoding",
"unsupported");
            connection.setRequestProperty("Transfer-Encoding",
"unsupported");
            PrintWriter output;
            output = new PrintWriter(new
OutputStreamWriter(connection.getOutputStream()));

            output.write("test send post");
           // output.write(request);
            output.flush();
            BufferedReader reader = new BufferedReader(new
InputStreamReader(connection.getInputStream()));

            StringBuilder sb = new StringBuilder();
            String line = reader.readLine();
            while (line!=null && line.length() > 0) {
                sb.append(line);
                line = reader.readLine();
            }
            System.out.println(sb.toString());
            output.close();
            reader.close();

        } catch (UnsupportedEncodingException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (ProtocolException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

The second one,**Information disclosure in authentication headers,** in my
opinion,  this is reproduced by sending an unauthorized request, and then
401 status code returns,  if i can catch *WWW-Authenticate http header
content, server hostname will be printed out, am i right?
Can someone give some hints? Thanks in advance!*


*
-- 
viola

Reply via email to