Surprising Hack into Tomcat Log File

Question

Today I found a friendly hint from a hacker in Tomcat's catalina.out. There must be some leak after an exception occurred which enables users to write to stderr or stdout. The part of the log file is as follows:

...
Oct 16, 2018 12:40:21 AM org.apache.coyote.http11.AbstractHttp11Processor process
INFO: Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
    at org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:136)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1028)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:662)

**Did you see me on the stderr window?**

**Did you see me on the browser window as well?**

com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: Duplicate entry '244790-85.25.210' for key 'PRIMARY'
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
...

I suspect that the exception left the stderr open and a user was able to write into the log. My machine is a Debian 8.7 with Tomcat 7.077.

Does anyone know how this could happen?

score 0 · Answer 1 · answered Oct 16 '18 at 16:27

0

The "Did you see me" lines are printed by some page in the Tomcat Examples web application. (That web application is present by default. You should remove it if you are using a Tomcat server for production).

Things to read:

source code of the jsp file that prints those messages
security how-to from Tomcat User's Guide (for Tomcat 9. There exists similar page for Tomcat 7.)

answered Oct 16 '18 at 16:27

Konstantin Kolinko

3,854
1
13
21

Thank you! This case is therefore a duplicate of question 16301668. – JensD Oct 18 '18 at 07:08

Surprising Hack into Tomcat Log File

1 Answers1