tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pid *" <...@pidster.com>
Subject Re: Need help to understand CVE-2007-0450
Date Wed, 21 Nov 2012 18:18:48 GMT
On 21 Nov 2012, at 14:59, "André Warnier" <aw@ice-sa.com> wrote:

> Caldarale, Charles R wrote:
>>> From: Aditi Sinha [mailto:adisinha0423@gmail.com] Subject: Need help to understand
CVE-2007-0450
>>> We have a web server hosted on Tomcat 7.0.22.
>>> The tool was able to access the Tomcat manager application with the
>>> following URL :

What scanning tool, exactly?
How can I reproduce this?


>>> http://localhost:8080/scripts/\../manager/html
>>> As per Tomcat security documents the issue is not present in Tomcat 7.
>>> Is there anything wrong in our web application deployment?
>> As documented here:
>> http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
>> there are two Java system properties that control behavior of Tomcat with regard
to such URLs.  Make sure neither is enabled.
>
> Just barging in here with my own question : is the above really to be considered as a
Tomcat failure ?

Such automated scanning tools are notorious for false positives.


p

> The call is made directly to Tomcat from localhost (obviously), which is allowed for
the Manager application.
> The URL, as stated, seems valid to me.  It will just result in "/scripts/../manager/"
being equivalent to "/manager/", and the resulting URL is correct and allowed.
>
> I fail to see the problem (but I may be missing something).
>
> The special properties mentioned above address an issue where there is a front-end Apache
server proxying to Tomcat, and which would have only "/scripts/" proxied to Tomcat.
> This would allow the call to be proxied (because it matches "/scripts", and then resolved
by Tomcat to a non-proxied (but valid) context.
> But I think that the case above is different, as there is apparently no proxy involved.
>
> (And anyway, if this was ever an issue, in my opinion it would have more to do with a
proxy module weakness - or a lax configuration - than with Tomcat per se).
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message