vulnerabilities file will be updated.
Changes from jakarta-tomcat-3.1:
===============================================================================
6. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.1.1
6.1 Administrative Application Enabled By Default
The administrative application (at context path "/admin") was enabled by
default in Tomcat 3.1, which allowed unauthenticated remote users to add and
remove appliations from a running Tomcat 3.1 installation if it was left
installed.
To avoid such problems, the administrative application has been removed from
the binary distribution of Tomcat 3.1.1. It can be installed if desired by:
- Downloading the source distribution of Tomcat 3.1.1.
- Modifying the "build.xml" file to remove the commenting around the
logic that creates the adminstrative application.
- Running the build.sh or build.bat script.
6.2 Case Sensitive Matches on Static Resources
In Tomcat 3.1, matches against the filenames of static resources was done in a
case insensitive manner on case insensitive platforms (such as Microsoft
Windows). This can cause sensitive information to be exposed to remote users
who experiment with differently cased request URIs.
To avoid such problems, Tomcat 3.1.1 performs filename comparisons for static
resources in a case sensitive manner, even on Windows. This means that your
hyperlinks must specify the correct case, or a 404 error will be returned.
Because this can cause significant conversion problems for existing
applications deployed on Tomcat 3.1, a configuration option is provided to
temporarily turn off case sensitive matching. Edit the file "conf/web.xml"
and modify the value for the "caseSensitive" initialization parameter to the
default file-serving servlet.
WARNING: CHANGING THIS SETTING WILL RE-INTRODUCE THE SECURITY VULNERABILITY
PRESENT IN TOMCAT 3.1 -- IT IS *STRONGLY* RECOMMENDED THAT YOU CORRECT YOUR
URLS TO MATCH CORRECTLY INSTEAD OF USING THIS OPTION. Note: All later
versions of Tomcat perform filename matches in a case sensitive manner.
6.3 Snoop Servlet Mappings in Example Application
In the deployment descriptor for the example application delivered with
Tomcat 3.1, a "snoop" servlet was mapped to URL patterns "/snoop" and
"*.snp". Theses mappings (in particular the second one) could cause exposure
of sensitive information on the internal organization of your web application
(for example, when a non-existent page "foo.snp" is requested).
To avoid these problems, the offending mappings have been commented out.
6.4 Show Source Vulnerability
The example application delivered with Tomcat 3.1 included a mechanism to
display the source code for the JSP page examples. This mechanism could
be used to bypass the restrictions on displaying sensitive information in
the WEB-INF and META-INF directories. This vulnerability has been removed.
6.5 Requesting Unknown JSP Pages
In Tomcat 3.1, the error message in response to a request for an unknown JSP
page would include the absolute disk file pathname of the corresponding file
which could not be found, which exposes sensitive information about how your
application is deployed. The error message has been adjusted to include only
the context-relative path of the JSP page which could not be found.
6.6 Session ID Vulnerability
The algorithm used to calculate session identifiers for new sessions was
subject to attack by attempting to guess what the next session identifier will
be, and therefore hijack the session. In addition, the generated identifier
exposed sensitive information (the number of sessions that have been created
since this web application was started.
To avoid these problems, the session identifier generation algorithm has been
replaced by the algorithm used in Tomcat 3.2, which is not subject to these
attacks, and does not expose session count information.
6.7 Server Shutdown Vulnerability
In Tomcat 3.1, it was possible to establish a remote network connection to the
AJP12 connector and cause Tomcat to shut itself down. Now, this network
connection must be created from the same server that Tomcat is running on.
NOTE: While this is more secure than Tomcat 3.1 (and mirrors the protection
provided by Tomcat 3.2), it is still vulnerable to attack by users who can
create socket connections from the server. Suitable use of firewalls and
"TCP Wrappers" applications are suggested around the APJ12 port.
*) Allow absolute pathnames in the -socket argument.
*) Don't invoke suexec when the user/group for the fastcgi application
is the same as the apache main server. This is consistent with
apache's suexec handling.
*) Reset the apache drop dead timer upon successful read or writes
to/from the client. This eliminates timeouts that were occuring
during the large file transfers to/from slow clients.
*) Support generic wrappers such as cgiwrap by eliminating dependencies
on Apache's SUEXEC, renaming the FastCgiSuexec directive
FastCgiWrapper and eliminating any checks regarding the target
application (this is the repsonibility of the wrapper).
*) Fix a nasty bug that occurred when a client aborted a POST request
before the connection to a dynamic FastCGI application was opened.
Changes since 1.60
2000-09-24 Hans de Graaff <hans@degraaff.org>
* Checkbot 1.62 released
2000-09-16 Hans de Graaff <hans@degraaff.org>
* checkbot.pl (send_mail): Only mention URL in the subject of the
mail if one is given through the --url option.
(check_external): The ALEPH web server is also broken with respect
to HEAD requests.
2000-09-04 Hans de Graaff <hans@degraaff.org>
* checkbot.pl (check_external): JavaWebServer is also broken with
respect to HEAD requests.
2000-08-26 Hans de Graaff <hans@degraaff.org>
* checkbot.pl (create_page): Add --style option which allows a
link to a CSS file to be included in each Checkbot page.
2000-08-20 Nick Hibma <n_hibma@qubesoft.com>
* checkbot.pl (check_external): Some servers don't set the Server:
header. Check to see if the server field is set in a response to
avoid warnings.
* checkbot.pl (add_checked): Add --enable-virtual option to use
hostname instead of IP address to distinguish servers. This allows
checking of multiple virtual servers.
2000-08-13 Hans de Graaff <hans@degraaff.org>
* Makefile.PL: Add a check for HTML::Parser. Require latest
version, 3.10, because I'm not sure older versions work correctly.
2000-06-29 Hans de Graaff <hans@degraaff.org>
* Checkbot 1.61 released
* Makefile.PL (chk_version): Add version checked for in output.
2000-06-18 Larry Gilbert <larry@n2h2.com>
* checkbot.pl (check_external): Use GET instead of HEAD for
confused closed-source servers.
2000-06-18 Hans de Graaff <hans@degraaff.org>
* Makefile.PL (chk_version): require URI 1.07 as it contains bug
fixes for using Base URLs.
* checkbot.pl: Change email and web address
2000-04-30 Hans de Graaff <graaff@xs4all.nl>
Version 2.6 of WWWOFFLE released : Sat Nov 18 19:15:00 2000
-----------------------------------------------------------
Bug Fixes:
Improve HTML modification for unterminated tags. Allow passworded pages to be
fetched. Improve compilation on non-Linux systems. Fix bug with proxy config
file entry. Fix an error with not truncating files. Fix an error with
dir-perm and file-perm. Fix problem when getting pages with passwords. Fix
problem deleting pages with passwords.
Documentation
Added a note to the FAQ about DoS attacks and ipchains.
*NOTE* If upgrading from version 2.[2345] then you will need to convert your
cache to the new format, see the file CONVERT for details.
*NOTE* If upgrading from version 2.4[abc] the max-size option in the Purge
section of the configuration file has changed. See CHANGES.CONF.
*NOTE* If upgrading from version 2.[123] the setting of the times of monitoring
URLs has changed, check the monitor index and correct where needed.
*NOTE* If upgrading from version 1.x or 2.[01] then you will need to delete
your cache since conversion from those formats is no longer provided.
Version 2.6-beta of WWWOFFLE released : Sun Oct 22 10:30:00 2000
----------------------------------------------------------------
Bug Fixes:
Handle usernames specified in URLs including the '@' character. Fix problems
deleting URLs with arguments. Fix bug with recursive fetching in same dir.
Retry the select system call if it is interrupted.
Win32 Bug Fixes:
Fix for local web-pages not being opened in binary mode. Compilation fixes.
Internal Changes:
Re-examined all URL-encoding and URL-decoding issues (small cache change).
Ensure that the canonical form of the URL is used throughout.
Changed the URLs in the indexes for monitor, delete & refresh.
Documentation
Re-written the README.CONF file with new layout and more information.
Added three more questions to the FAQ and updated several others.
Configuration File
Allow many of the configuration file options be selectable on a URL by URL basis.
Move some configuration file options around and create some new sections.
Allow purge ages to be specified in larger units (weeks, months, years).
Allow re-request times to be specified in larger units (minutes, hours, days).
New Configuration Options
Add the ability to demoronise HTML (replace bogus characters with real ones).
Add the ability to remove meta refresh tags that redirect browsers.
Added the option to convert redirections to DontGet pages to errors.
Allow the HTML modifications to happen to pages viewed when online.
Add timeouts to DNS lookups to stop WWWOFFLE servers hanging up.
Add the option to enable the use of lock files (defaults to disabled).
New Features
Remove the index of the latest pages (was slow on big caches).
Add an index of the pages that were in the outgoing directory last time.
Change the don't cache option so that pages are not requested when offline.
Allow password protected URLs to be deleted.
Aliased pages now use a redirect rather than re-writing the URL.
Make it safe to have symlinks in the cache.
Searching
Changed the ht://Dig search URLs in WWWOFFLE from /htdig/* to /search/htdig/*.
Allow the use of UdmSearch instead of ht://Dig.
Contrib
Improved the audit-usage.pl script to show cache hit/miss status for requests.
