top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Responses of two different requests concatinated

0 votes
290 views

We recently got an error report from a user of one of the systems we have developed, showing that the response from a different request had been appended to the original response.

The original response was the front page of a site, generated with jsp, and the appended response was a excel file generated a few seconds earlier.

Our current hypothesis is that some buffer in either httpd(2.2.22) or Tomcat (7.0.35) has been recycled. Httpd is connected to Tomcat using http proxypass.

I have started trying to reproduce the problem, but thought I should try the mailing lists of both httpd and tomcat before continuing.

What I have done thus far is: concatenating html and excel to verify that it is possible to open and looks the way the user experienced; building a custom version of Tomcat that uses the same Processor for each request and configured to use only one thread.

This seems a bit similar to the issue described in http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.12 (CVE-2011-1475)

Some results when googleling suggests that this could happen when jsp tags are not coded properly, but I have not found any such code in our applications.

posted Aug 7, 2013 by Sonu Jindal

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote
 
Best answer

Usual culprit is a bug in web application that uses request/response objects outside of their life cycle.

The first step that I'd recommend is to set
org.apache.catalina.connector.RECYCLE_FACADES=true for better security and to ease detection of such misuse.

See
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#System_Properties
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html

There is also exists a known issue in Java ImageIO API,
https://wiki.apache.org/tomcat/FAQ/KnownIssues#ImageIOIssues

There also exists CVE-2013-2071 (fixed in 7.0.40).

answer Aug 7, 2013 by Abhay Kulkarni
+1 vote

In order of likelihood:
- app bug
- Tomcat bug
- httpd bug

I'd look for code that retains a reference to the request and/or response object or maybe an OutputStream. The usual cause of this type of issue is retaining a reference across requests and re-using the object from the old request rather than the current one.

Did the appended response include HTTP headers? If yes, this could just be the result of pipe-lining.

answer Aug 7, 2013 by Kumar Mitrasen
Similar Questions
+3 votes
How to limit the number of requests routed to Tomcat via Apache V2.4.3

I have a requirement where the tomcat load has to be managed by tuning the following parameters.

--> Limit the number of user requests at Apache level that are routed to Tomcat server.
--> Track the number of processed requests and the requests that are queued at Apache level.

Any suggestions?

+2 votes
Tomcat: Web filter to forward some requests to another remote webserver

I would like to create a web filter to forward some requests to another webserver,

The filter receives an "application/x-www-form-urlencoded" request , inspects the value of a parameter and chooses to forward to another remote webserver ( as a proxy )

I've seen some posts where they open a HttpURLConnection to remote server and send the request. This is right for me, but I'd would like if there is another way ( easier ) to implement it.

0 votes
Enable session persistence between two tomcat nodes behind load balancer

I have been searching for an answer to how to set this up. I find a lot of posts on session persistence but none seem to describe how to set it up. Is there a simple explanation out there that tells me how I go about setting up session persistence (with Apache, I would just set up memcached on the db server and configure the memcache module on each Apache instance to point to the memcached and it works). I don't need opcode persistence. I just want the tomcats to either a) direct all session traffic to a single node or b) make the two tomcats aware of all sessions. Can someone point me in the right direction? I am not a java coder, but if code changes need to be made, I can work through it.

...