After debug into tomcat source code, i found that if transfer-encode is set as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not sure attackers how to obtain sensitive information via a crafted header?
On Thu, Sep 23, 2010 at 11:29 AM, viola lu <viola...@gmail.com> wrote: > thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second > one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: > tomcat 6.0.26 > suse10sp268:~ # wget -S -O - --post-data='test send post' > http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor > --07:21:33-- > http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor > => `-' > Connecting to 9.125.1.248:8080... connected. > HTTP request sent, awaiting response... > HTTP/1.1 401 Unauthorized > Server: Apache-Coyote/1.1 > *WWW-Authenticate: Basic realm="9.125.1.248:8080"* > > *tomcat 6.0.29:* > suse10sp268:~ # wget -S -O - --post-data='test send post' > http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor > --07:24:02-- > http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor => > `-' > Connecting to 9.125.1.248:8080... connected. > HTTP request sent, awaiting response... > HTTP/1.1 401 Unauthorized > Server: Apache-Coyote/1.1 > *WWW-Authenticate: Basic realm="Authentication required"* > > But for the first one, both got the same repsonse: 200 OK as below: > suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' > --post-data='test send post' > http://9.125.1.248:8080/SecurityTomcat/SecurityServlet > --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet > => `-' > Connecting to 9.125.1.248:8080... connected. > HTTP request sent, awaiting response... > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > Content-Type: text/html > Content-Length: 61 > Date: Thu, 23 Sep 2010 03:09:09 GMT > Connection: keep-alive > Length: 61 [text/html] > 0% > [ > ] 0 --.--K/s unsupported > > application/x-www-form-urlencoded > 9.125.1.248 > 100%[=====================================================================================================================================>] > 61 --.--K/s > > 07:12:16 (7.27 MB/s) - `-' saved [61/61] > > Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something > wrong? > Appreciate if you can provide more help! > > > On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Viola, >> >> On 9/21/2010 10:13 PM, viola lu wrote: >> > Here is my client: >> >> [snip] >> >> Note that your client can be replaced by this one-liner: >> >> $ wget -S -O - --header='Transfer-Encoding: unsupported' \ >> --post-data='test send post' \ >> http://localhost:8080/SecurityTomcat/SecurityServlet >> >> It also has the added advantages of not stripping newlines from the >> response, and including the response headers in the output. >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (MingW32) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT >> 6SgAnAihZq7v3w6icGiPeceYFjnAPN21 >> =LoyH >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > -- > viola > -- viola
