tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
Date Wed, 02 Aug 2017 08:35:43 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

Mark Thomas <markt@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Mark Thomas <markt@apache.org> ---
As per http://tomcat.apache.org/security.html security vulnerabilities should
be reported privately to the Apache Tomcat Security Team - not via the public
bug tracker.

Reporting vulnerabilities publicly potentially exposes all Tomcat users to the
vulnerability until the vulnerability is patched.

Unfortunately, once information on a vulnerability is made public it can't be
made private.

Given the circumstances, we might as well make the best of this and use it as
an opportunity to give the Tomcat community an insight into how the Tomcat
security team addresses a security vulnerability and keep discussion on this
issue in the open. There is one caveat. If, during the investigation, we
uncover a separate but related security issue we will keep that information
private until that separate issue is resolved.

My initial reaction to this report is that - knowing how the WEB-INF check is
implemented - I'd be surprised if this was valid. The usual way the check is
bypassed on Windows is setting allowLinking=true (and setting that on Windows
is a configuration error). In this case I don't think that would allow the
behaviour seen here. Other possible causes are a poorly configured reverse
proxy or an unusual configuration of appBase and docBase

Next steps are to see if the report can be reproduced.

I don't have a Windows Server 2012 R2 install to hand so I have started the
process to set one up.

While the 2012 R2 ISO is downloading, I tested a clean build of the latest
8.5.x code running on Windows 7 and I do not see this behaviour. i.e.
http://localhost:8080/WEB-INF./web.xml returns a 404.

If I set allowLinking="true" I do see the behaviour described here. That is a
surprise. The good news is that that makes this a configuration error. There is
a very clear warning in the documentation that setting allowLinking="true" on
Windows or any platform with a case insensitive file system will create
security issues.

However, before resolving this issue as invalid we need to:
- confirm with the OP that they had set allowLinking="true"
- figure out why allowLinking="true" allows this particular bypass to occur

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message