SecuriTeam"! - Apache Tomcat Information Disclosure (RemoteFilterValve)(情報元のブックマーク数)

かなり細工しないと無理なの?セッション管理(TCPの)が不十分ってことか?

This has only been reproduced using a debugger to force a particular processing sequence across two threads.
1. Set a breakpoint right after the place where a value is to be entered in the instance variable of regexp (search:org.apache.regexp.CharacterIterator).

2. Send a request from the IP address* which is not permitted. (stopped at the breakpoint)

*About the IP address which is not permitted. The character strings length of the IP address which is set in RemoteAddrValve must be same.

3. Send a request from the IP address which was set in RemoteAddrValve. (stopped at the breakpoint)

In this way, the instance variable is to be overwritten here.

4. Resume the thread which is processing the step 2 above.

5. The request from the not permitted IP address will succeed.

Apache Tomcat Information Disclosure (RemoteFilterValve)

screenshot