Home > Apache Tomcat > Apache Tomcat 4.1.24 Error Report

Apache Tomcat 4.1.24 Error Report

A workaround was implemented in revision 681065 that protects against this and any similar character encoding issues that may still exist in the JVM. These pages have been simplified not to use any user provided data in the output. Posted on Jun 14, 2009 1:08 PM See the answer in context Close Q: How do I correct an Apache Tomcat/4.1.24-Error report? Users are advised to use the default, supported Coyote AJP connector which does not exhibit this issue. http://svbuckeye.com/apache-tomcat/apache-error-report-tomcat.php

A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive. This Servlet now filters the data before use. Trav. 2008-08-03 2014-03-15 5.0 None Remote Low Not required Partial None None Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path Affects: 4.1.0-4.1.36 Low: Cross-site scripting CVE-2007-3383 When reporting error messages, the SendMailServlet (part of the examples web application) did not escape user provided data before including it in the output. https://discussions.apple.com/thread/2038195?start=0&tstart=0

NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... Users of Tomcat 4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector which does not exhibit this issue. I have to repeatedly re-connect with Internet Connect every time I try to open a new or different link, or if I refresh a site, I have to re-connect.On occasion, Apache A fix was also required in the JK connector module for httpd.

This was fixed in revision 781382. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. All replies Helpful answers by Camelot, Camelot Jun 13, 2009 10:34 PM in response to Homer Leon Story Level 8 (47,290 points) Mac OS X Jun 13, 2009 10:34 PM in If an attacker can do this then the server is already compromised.

All rights reserved. Applications that use the raw header values directly should not assume that the headers conform to RFC 2616 and should filter the values appropriately. HTTP Status 404 - / -------------------------------------------------------------------------------- type Status report message / description The requested resource (/) is not available. -------------------------------------------------------------------------------- Apache Tomcat/4.1.24-LE-jdk14 Haim SysAid Wiz 2449 Tomcat error Jul. 07, This enabled a XSS attack.

In response to this and other directory listing issues, directory listings were changed to be disabled by default. This issue may be mitigated by undeploying the examples web application. The vulnerability reports for this issue state that it is fixed in 4.1.10 onwards. What is the solution ?

  • It can not be reproduced on Windows XP Home with JDKs 1.3.1, 1.4.2, 1.5.0 or 1.6.0.
  • Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform.
  • For a successful XSS attack, unfiltered user supplied data must be included in the message argument.
  • Im encountering the ff error.Thanks!
  • Privacy Policy | Terms Of Use
  • Note that it is recommended that the examples web application is not installed on a production system.
  • This includes the standard RemoteAddrValve and RemoteHostValve implementations.
  • Copyright © 1999-2016, The Apache Software Foundation Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat project logo are trademarks of the Apache Software Foundation.
  • There are no plans to issue an update to Tomcat 4.1.x for this issue.
  • If directory listings are enabled, the number of files in each directory should be kepp to a minimum.

Your cache administrator is webmaster. http://answers.microsoft.com/en-us/ie/forum/ie9-windows_vista/http-status-500-apache-tomcat-4124/f72a23d7-3b08-4216-bd59-2023b09a170f Affects: 4.0.3? Although the root cause was quickly identified as a JVM issue and that it affected multiple JVMs from multiple vendors, it was decided to report this as a Tomcat vulnerability until Toll Free US: 1-800-686-7047 US: (617) 231-0124 [email protected] Copyright © 2002- All rights reserved to SysAid Technologies Ltd.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31 Fixed in Apache Tomcat 4.1.29 Moderate: Cross-site scripting CVE-2002-1567 The unmodified requested URL is included in the 404 response header. get redirected here Tomcat permits '\', '%2F' and '%5C' as path delimiters. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the Affects: 4.1.0-4.1.39 Low: Information disclosure CVE-2009-0580 Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of user names by supplying illegally URL encoded

Important: Denial of service CVE-2002-1895 This issue only affects configurations that use IIS in conjunction with Tomcat and the AJP1.3 connector. Affects: 4.1.0-4.1.39 Fixed in Apache Tomcat 4.1.39 Moderate: Session hi-jacking CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being Affects: 4.1.28-4.1.31 Low: Cross-site scripting CVE-2006-7196 The calendar application included as part of the JSP examples is susceptible to a cross-site scripting attack as it does not escape user provided data http://svbuckeye.com/apache-tomcat/apache-tomcat-5-5-20-error-report.php Affects: 4.0.0-4.0.6, 4.1.0-4.1.34 Important: Directory traversal CVE-2007-0450 The fix for this issue was insufficient.

This discussion is locked Homer Leon Story Level 1 (5 points) Q: How do I correct an Apache Tomcat/4.1.24-Error report? Affects: 4.0.0-4.0.6 Fixed in Apache Tomcat 4.0.2 Low: Information disclosure CVE-2002-2009, CVE-2001-0917 Requests for JSP files where the file name is preceded by '+/', '>/', 'Thus the behaviour can be used for a denial of service attack using a carefully crafted request.

This was fixed in revision 781708. Use of this information constitutes acceptance for use in an AS IS condition. I have used this same system for eleven (11) years. Please type your message and try again.

CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. This issue may be mitigated by undeploying the examples web application. The default configuration no longer permits the use of insecure cipher suites. my review here There are NO warranties, implied or otherwise, with regard to this information or its use.

I will attempt to do a better job. Known limitations & technical details User agreement, disclaimer and privacy statement About & Contact Feedback CVE is a registred trademark of the MITRE Corporation and the authoritative source Affects: 4.0.0-4.0.6, 4.1.0-4.1.34 Low: Cross-site scripting CVE-2007-1358 Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language Generated Fri, 30 Sep 2016 21:25:17 GMT by s_hv1002 (squid/3.5.20) HTTP Status 401 - type Status reportmessage description This request requires HTTP authentication ().Apache Tomcat/4.1.24-LE-jdk14 LAMS Community Log In 0 members

This work around is included in Tomcat 4.1.39 onwards. Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page. Any use of this information is at the user's risk. It should also be noted that setting useBodyEncodingForURI="true" has the same effect as setting URIEncoding="UTF-8" when processing requests with bodies encoded with UTF-8.

A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive. sweetcaro SysAider 2 Re:Tomcat error Apr. 19, 2010 08:35 PM I had to re-install because of program errors and now I'm hoping I didn't lose everything! The remaining part of the URL, including the script elements, is treated as part of the response body and the client executes the script. Affects: 4.0.0-4.0.6, 4.1.0-4.1.36 Fixed in Apache Tomcat 4.1.36 Important: Information disclosure CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid.

But I'm getting this exact same error when opening the page type Status report message / description The requested resource (/) is not available. Security Reports Find help FAQ Mailing Lists Bug Database IRC Get Involved Overview SVN Repositories Buildbot Reviewboard Tools Media Twitter YouTube Blog Misc Who We Are Heritage Apache Home Resources Contact Apple may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. 4 CVE-2013-4286 20 2014-02-26 2016-08-22 5.8 None Remote Medium Not required Partial Partial None Apache Tomcat before 6.0.39, 7.x before This enabled a XSS attack. In some circumstances this lead to the leaking of information such as session ID to an attacker. This directory traversal is limited to the docBase of the web application.

NOTE: this issue exists because of an incomplete fix for CVE-2007-3385. 17 CVE-2007-3385 200 +Info 2007-08-14 2011-04-20 4.3 None Remote Medium Not required Partial None None Apache Tomcat 6.0.0 to 6.0.13, Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom Affects: 4.0.0-4.0.6, 4.1.0-4.1.36 Low: Session hi-jacking CVE-2007-3385 Tomcat incorrectly handled the character sequence \" in a cookie value. Affects: Pre-release builds of 4.0.0 Unverified Low: Installation path disclosure CVE-2005-4703, CVE-2002-2008 This issue only affects Windows operating systems.