Re: Static resource mapping in web.xml

Wed, 08 Jun 2011 09:03:18 -0700 

falva...@geocom.com.uy wrote:

I know we are going a little off the original topic, but for me this is very
interesting.

I think I understand your point:

        Any library in /webapp/lib/ that has access to executing linux
commands (as you point) could be executed as well from any browser.



No, unless it is specifically mapped to a URL in web.xml.



        If invoker is not enabled, unless this class is mapped there is no
possible harm.

Your example made clear the damage potential in using invoker.

But: unless there are JARs with this capabilities in Tomcats distribution or
standard packages (like xstream, axis, itext, ...) this is a very improbable
situation, right?
All of those are open-source. So anyone can examine the code to determine if there is some function in there that can be misused. 

 Because whoever writes this URL should precisely know the

architecture of the application in order to use a non-standard library or
servlet.
Yes, but they can find out, using the same invoker servlet. They just have to try any URL they can think of, until it works.. 

Have you ever looked at your Internet webserver logs, and seen lines like these 
?
[Tue May 31 04:02:30 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/w00tw00t.at.blackhats.romanian.anti-sec:) [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/phpMyAdmin [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/phpmyadmin [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/pma [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/myadmin [Tue May 31 04:02:31 2011] [error] [client 91.121.243.113] File does not exist: /var/www/default/docs/MyAdmin 

Now, where do you think these come from ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to