(2) By default, the response generated by a Servlet does depend on the HTTP method. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP.
JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. Apache Tomcat 9.0.0.M1 through 9.0.0.M11, 8.5.0 through 8.5.6, 8.0.0.RC1 through 8.0.38, 7.0.0 through 7.0.72 and 6.0.0 through 6.0.47 are vulnerable. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. Useful references: Release notes, with important information about known issues Changelog NOTE: The tar files in this distribution use GNU tar extensions, and must be untarred with a GNU compatible version of tar. The configuration file uses the format namevalue with each pair on a separate line.
Defaults: The defaults used by the installer may be overridden by use of the /CDepending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. There is probably a simpler way, but installing the J2EE version of Eclipse solved this for me. Note that when choosing to run Tomcat at the end of installation, the tray icon will be used even if Tomcat was installed as a service.
If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. Apache Tomcat version 7.0 implements the Servlet 3.0 and JavaServer Pages 2.2 specifications from the Java Community Process, and includes many additional features that make it a useful platform for developing and deploying web applications and web services. This means that the request is presented to the error page with the original HTTP method. META-INF/LICENSE META-INF/MANIFEST.MF META-INF/NOTICE.
#APACHE TOMCAT 7.0 27 SERIES#
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts. The download jar file contains the following class files or Java source files.