September 2015 - mod_cluster-issues

[JBoss JIRA] (MODCLUSTER-416) mod_cluster Connected count shows improper inflation

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-416?page=com.atlassian.jira.pl... ] Radoslav Husar updated MODCLUSTER-416: -------------------------------------- Fix Version/s: 1.2.12.Final (was: 1.2.11.Final) > mod_cluster Connected count shows improper inflation > ---------------------------------------------------- > > Key: MODCLUSTER-416 > URL: https://issues.jboss.org/browse/MODCLUSTER-416 > Project: mod_cluster > Issue Type: Bug > Components: Native (httpd modules) > Affects Versions: 1.2.9.Final > Reporter: Aaron Ogburn > Assignee: Jean-Frederic Clere > Fix For: 1.3.2.Alpha1, 1.2.12.Final > > > The mod_cluster connected count (a proxy_worker's busy attribute) shows improper inflation. With load stopped, non-zero values have still been seen through the mod_cluster-manager page and INFO MCMP responses. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-453) It is possible to inject JavaScript into mod_cluster manager console via MCMP messages

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-453?page=com.atlassian.jira.pl... ] Radoslav Husar resolved MODCLUSTER-453. --------------------------------------- Resolution: Done > It is possible to inject JavaScript into mod_cluster manager console via MCMP messages > -------------------------------------------------------------------------------------- > > Key: MODCLUSTER-453 > URL: https://issues.jboss.org/browse/MODCLUSTER-453 > Project: mod_cluster > Issue Type: Bug > Components: Native (httpd modules) > Affects Versions: 1.2.6.Final, 1.2.9.Final, 1.2.11.Final, 1.3.1.Beta2 > Reporter: Michal Karm Babacek > Assignee: Jean-Frederic Clere > Priority: Critical > Fix For: 1.3.2.Alpha1, 1.2.12.Final > > Attachments: MODCLUSTER-453_master-better_one.patch, MODCLUSTER-453_master-mbabacek.patch, MODCLUSTER-453_master-offensive_approach.patch, patch.new.best.patch, patch.new.txt, patch.txt > > > This is a nasty one indeed :-) > h3. Steps to reproduce > * start Apache HTTP Server with mod_cluster > * send these messages (provided you test instance listens on 127.0.0.1) > {code} > { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666 > { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666 > {code} > * Open http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being executed. > h3. Impact > * Anyone with access to the (hopefully only internal) network from which MCMP messages are allowed to come from could send these messages and execute arbitrary JavaScript code. > h3. Suggestion > * Leverage {{apr_escape*}} to sanitize MCMP messages. > h3. Proposed patch > * [^patch.new.best.patch]: MCMP messages containing suspicious characters are discarded. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-453) It is possible to inject JavaScript into mod_cluster manager console via MCMP messages

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-453?page=com.atlassian.jira.pl... ] Radoslav Husar updated MODCLUSTER-453: -------------------------------------- Fix Version/s: 1.2.12.Final > It is possible to inject JavaScript into mod_cluster manager console via MCMP messages > -------------------------------------------------------------------------------------- > > Key: MODCLUSTER-453 > URL: https://issues.jboss.org/browse/MODCLUSTER-453 > Project: mod_cluster > Issue Type: Bug > Components: Native (httpd modules) > Affects Versions: 1.2.6.Final, 1.2.9.Final, 1.2.11.Final, 1.3.1.Beta2 > Reporter: Michal Karm Babacek > Assignee: Jean-Frederic Clere > Priority: Critical > Fix For: 1.3.2.Alpha1, 1.2.12.Final > > Attachments: MODCLUSTER-453_master-better_one.patch, MODCLUSTER-453_master-mbabacek.patch, MODCLUSTER-453_master-offensive_approach.patch, patch.new.best.patch, patch.new.txt, patch.txt > > > This is a nasty one indeed :-) > h3. Steps to reproduce > * start Apache HTTP Server with mod_cluster > * send these messages (provided you test instance listens on 127.0.0.1) > {code} > { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666 > { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666 > {code} > * Open http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being executed. > h3. Impact > * Anyone with access to the (hopefully only internal) network from which MCMP messages are allowed to come from could send these messages and execute arbitrary JavaScript code. > h3. Suggestion > * Leverage {{apr_escape*}} to sanitize MCMP messages. > h3. Proposed patch > * [^patch.new.best.patch]: MCMP messages containing suspicious characters are discarded. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-453) It is possible to inject JavaScript into mod_cluster manager console via MCMP messages

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-453?page=com.atlassian.jira.pl... ] Radoslav Husar updated MODCLUSTER-453: -------------------------------------- Fix Version/s: (was: 1.2.11.Final) > It is possible to inject JavaScript into mod_cluster manager console via MCMP messages > -------------------------------------------------------------------------------------- > > Key: MODCLUSTER-453 > URL: https://issues.jboss.org/browse/MODCLUSTER-453 > Project: mod_cluster > Issue Type: Bug > Components: Native (httpd modules) > Affects Versions: 1.2.6.Final, 1.2.9.Final, 1.2.11.Final, 1.3.1.Beta2 > Reporter: Michal Karm Babacek > Assignee: Jean-Frederic Clere > Priority: Critical > Fix For: 1.3.2.Alpha1 > > Attachments: MODCLUSTER-453_master-better_one.patch, MODCLUSTER-453_master-mbabacek.patch, MODCLUSTER-453_master-offensive_approach.patch, patch.new.best.patch, patch.new.txt, patch.txt > > > This is a nasty one indeed :-) > h3. Steps to reproduce > * start Apache HTTP Server with mod_cluster > * send these messages (provided you test instance listens on 127.0.0.1) > {code} > { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666 > { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666 > {code} > * Open http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being executed. > h3. Impact > * Anyone with access to the (hopefully only internal) network from which MCMP messages are allowed to come from could send these messages and execute arbitrary JavaScript code. > h3. Suggestion > * Leverage {{apr_escape*}} to sanitize MCMP messages. > h3. Proposed patch > * [^patch.new.best.patch]: MCMP messages containing suspicious characters are discarded. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-453) It is possible to inject JavaScript into mod_cluster manager console via MCMP messages

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-453?page=com.atlassian.jira.pl... ] Radoslav Husar updated MODCLUSTER-453: -------------------------------------- Fix Version/s: 1.2.11.Final > It is possible to inject JavaScript into mod_cluster manager console via MCMP messages > -------------------------------------------------------------------------------------- > > Key: MODCLUSTER-453 > URL: https://issues.jboss.org/browse/MODCLUSTER-453 > Project: mod_cluster > Issue Type: Bug > Components: Native (httpd modules) > Affects Versions: 1.2.6.Final, 1.2.9.Final, 1.2.11.Final, 1.3.1.Beta2 > Reporter: Michal Karm Babacek > Assignee: Jean-Frederic Clere > Priority: Critical > Fix For: 1.2.11.Final, 1.3.2.Alpha1 > > Attachments: MODCLUSTER-453_master-better_one.patch, MODCLUSTER-453_master-mbabacek.patch, MODCLUSTER-453_master-offensive_approach.patch, patch.new.best.patch, patch.new.txt, patch.txt > > > This is a nasty one indeed :-) > h3. Steps to reproduce > * start Apache HTTP Server with mod_cluster > * send these messages (provided you test instance listens on 127.0.0.1) > {code} > { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666 > { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666 > {code} > * Open http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being executed. > h3. Impact > * Anyone with access to the (hopefully only internal) network from which MCMP messages are allowed to come from could send these messages and execute arbitrary JavaScript code. > h3. Suggestion > * Leverage {{apr_escape*}} to sanitize MCMP messages. > h3. Proposed patch > * [^patch.new.best.patch]: MCMP messages containing suspicious characters are discarded. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-397) StickySessions don't work for ProxyPass from unenabled context

by Aaron Ogburn (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-397?page=com.atlassian.jira.pl... ] Aaron Ogburn commented on MODCLUSTER-397: ----------------------------------------- Master PR using notes to avoid additional table reads: https://github.com/modcluster/mod_cluster/pull/158 > StickySessions don't work for ProxyPass from unenabled context > -------------------------------------------------------------- > > Key: MODCLUSTER-397 > URL: https://issues.jboss.org/browse/MODCLUSTER-397 > Project: mod_cluster > Issue Type: Bug > Affects Versions: 1.2.8.Final > Reporter: Aaron Ogburn > Assignee: Jean-Frederic Clere > > Sticky sessions are not maintained if you try to ProxyPass from an unenabled context to an enabled one. For example, consider JBoss with just /foo deployed and enabled via MCMP. Then try to ProxyPass / to /foo/ on httpd: > CreateBalancers 1 > ... > ProxyPass / balancer://mycluster/foo/ stickysession=JSESSIONID|jsessionid nofailover=On -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-467) ExcludedContexts are ignored if modcluster subsystem initialize before default-host

by Pierre-Luc Gregoire (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-467?page=com.atlassian.jira.pl... ] Pierre-Luc Gregoire edited comment on MODCLUSTER-467 at 9/2/15 2:09 PM: ------------------------------------------------------------------------ Instead of using a system property or a hard dependency on 'default-host', the patch loop on hosts defined in ExcludedContexts and add a dependency to them. {code} for(String host : config.getExcludedContextsPerHost().keySet()) { builder.addDependency(WebSubsystemServices.JBOSS_WEB_HOST.append(host == null?"default-host":host)); } {code} This patch is for modcluster project in wildfly, tag 7.2.0.Final-testsuite-fix. was (Author: plgregoire): Instead of using a system property or a hard dependency on 'default-host', the patch loop on hosts defined in ExcludedContexts and add a dependency to them. {code} for(String host : config.getExcludedContextsPerHost().keySet()) { builder.addDependency(WebSubsystemServices.JBOSS_WEB_HOST.append(host == null?"default-host":host)); } {code} > ExcludedContexts are ignored if modcluster subsystem initialize before default-host > ----------------------------------------------------------------------------------- > > Key: MODCLUSTER-467 > URL: https://issues.jboss.org/browse/MODCLUSTER-467 > Project: mod_cluster > Issue Type: Bug > Components: Core & Container Integration (Java) > Affects Versions: 1.2.11.Final > Reporter: Pierre-Luc Gregoire > Assignee: Jean-Frederic Clere > Labels: jboss > Attachments: MODCLUSTER-467-patch.diff > > > With JBoss 7.2.0.Final, modcluster will ignore excludedContexts defined in modcluster subsystem (ie jmx-console, ROOT). This is caused by engine.getHosts() not yet available when org.jboss.modcluster.ModClusterService.init(Server) try to setup his list of excludedContexts. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-467) ExcludedContexts are ignored if modcluster subsystem initialize before default-host

by Pierre-Luc Gregoire (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-467?page=com.atlassian.jira.pl... ] Pierre-Luc Gregoire updated MODCLUSTER-467: ------------------------------------------- Attachment: MODCLUSTER-467-patch.diff Instead of using a system property or a hard dependency on 'default-host', the patch loop on hosts defined in ExcludedContexts and add a dependency to them. for(String host : config.getExcludedContextsPerHost().keySet()) { builder.addDependency(WebSubsystemServices.JBOSS_WEB_HOST.append(host == null?"default-host":host)); } > ExcludedContexts are ignored if modcluster subsystem initialize before default-host > ----------------------------------------------------------------------------------- > > Key: MODCLUSTER-467 > URL: https://issues.jboss.org/browse/MODCLUSTER-467 > Project: mod_cluster > Issue Type: Bug > Components: Core & Container Integration (Java) > Affects Versions: 1.2.11.Final > Reporter: Pierre-Luc Gregoire > Assignee: Jean-Frederic Clere > Labels: jboss > Attachments: MODCLUSTER-467-patch.diff > > > With JBoss 7.2.0.Final, modcluster will ignore excludedContexts defined in modcluster subsystem (ie jmx-console, ROOT). This is caused by engine.getHosts() not yet available when org.jboss.modcluster.ModClusterService.init(Server) try to setup his list of excludedContexts. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-467) ExcludedContexts are ignored if modcluster subsystem initialize before default-host

by Pierre-Luc Gregoire (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-467?page=com.atlassian.jira.pl... ] Pierre-Luc Gregoire edited comment on MODCLUSTER-467 at 9/2/15 2:07 PM: ------------------------------------------------------------------------ Instead of using a system property or a hard dependency on 'default-host', the patch loop on hosts defined in ExcludedContexts and add a dependency to them. {code} for(String host : config.getExcludedContextsPerHost().keySet()) { builder.addDependency(WebSubsystemServices.JBOSS_WEB_HOST.append(host == null?"default-host":host)); } {code} was (Author: plgregoire): Instead of using a system property or a hard dependency on 'default-host', the patch loop on hosts defined in ExcludedContexts and add a dependency to them. for(String host : config.getExcludedContextsPerHost().keySet()) { builder.addDependency(WebSubsystemServices.JBOSS_WEB_HOST.append(host == null?"default-host":host)); } > ExcludedContexts are ignored if modcluster subsystem initialize before default-host > ----------------------------------------------------------------------------------- > > Key: MODCLUSTER-467 > URL: https://issues.jboss.org/browse/MODCLUSTER-467 > Project: mod_cluster > Issue Type: Bug > Components: Core & Container Integration (Java) > Affects Versions: 1.2.11.Final > Reporter: Pierre-Luc Gregoire > Assignee: Jean-Frederic Clere > Labels: jboss > Attachments: MODCLUSTER-467-patch.diff > > > With JBoss 7.2.0.Final, modcluster will ignore excludedContexts defined in modcluster subsystem (ie jmx-console, ROOT). This is caused by engine.getHosts() not yet available when org.jboss.modcluster.ModClusterService.init(Server) try to setup his list of excludedContexts. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-468) Remove obsolete EULA

by Jean-Frederic Clere (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-468?page=com.atlassian.jira.pl... ] Jean-Frederic Clere updated MODCLUSTER-468: ------------------------------------------- Status: Resolved (was: Pull Request Sent) Resolution: Done merged > Remove obsolete EULA > -------------------- > > Key: MODCLUSTER-468 > URL: https://issues.jboss.org/browse/MODCLUSTER-468 > Project: mod_cluster > Issue Type: Bug > Components: Core & Container Integration (Java) > Reporter: Richard Fontana > Assignee: Jean-Frederic Clere > > The license file JBossORG-EULA.txt is obsolete and in fact was erroneous when it was introduced. It was supposed to be removed from JBoss community projects several years ago. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

9 years, 4 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

mod_cluster-issues September 2015