Re: Some questions about Tomcat ISAPI Connector and its documentation

Sat, 10 Mar 2012 15:14:17 -0800 

Konstantin Preißer wrote:
...


2. I observed that when a request is made to IIS which is mapped to Tomcat, and the 
request path contains the string "WEB-INF", like
http://www.example.com/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf
then the ISAPI connector logs a statement like this:

[Sat Mar 10 22:34:58.030 2012] [11744:10792] [emerg] 
handle_notify_event::jk_isapi_plugin.c (1997): 
[/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf] points to the web-inf or 
meta-inf directory. Somebody tries to hack into the site!!!

If I remember correctly, in some earlier versions of the ISAPI connector (or 
IIS), in such cases the TCP connection from IIS to the client would also be 
closed without any reply; however, in the current version, a 404 reply is sent 
from the ISAPI connector.


I'm wondering why the ISAPI redirector checks if "WEB-INF" is occurring in the path, because Tomcat seems to already check if a request is made to the WEB-INF or META-INF directory of an web application, and if so, sends back a normal 404 response. Is this a kind of relict from earlier times? Because I would expect that the ISAPI redirector just passes the request to Tomcat and let Tomcat decide how requests to forbidden directories are handled, without writing an "emergency" log entry. 


That is probably what isapi_redirector does anyway (forward the request to Tomcat, and let 
Tomcat send the 404 response (which may be customised)).
But perhaps the log message in the isapi_redirector log is there for the following reason 
: when Tomcat is hosted on a separate host, it may be nice, on the IIS/isapi_redirector 
host, to have a log entry recording this.  Just in case the IIS-side logs are being 
watched closely, and the Tomcat logs less so.
After all, someone using a URL including WEB-INF or META-INF, is quite likely to be 
someone who /is/ trying to hack the system.



That kind of overlaps the warning in red text that is present on the connectors "how-to" 
pages, like :



However, you should be very careful when you implement the following configuration style, 
because by doing so you are in fact providing a "back-door" to IIS, and allowing it to 
serve files out of a Tomcat context without Tomcat's knowledge, thus bypassing any 
security restrictions which Tomcat itself and the Tomcat context (webapp) may place on 
those files.


Does this log message bother you ? why would you want to /not/ have it ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to