tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pid *" <>
Subject Re: Need help to understand CVE-2007-0450
Date Wed, 21 Nov 2012 18:18:48 GMT
On 21 Nov 2012, at 14:59, "André Warnier" <> wrote:

> Caldarale, Charles R wrote:
>>> From: Aditi Sinha [] Subject: Need help to understand
>>> We have a web server hosted on Tomcat 7.0.22.
>>> The tool was able to access the Tomcat manager application with the
>>> following URL :

What scanning tool, exactly?
How can I reproduce this?

>>> http://localhost:8080/scripts/\../manager/html
>>> As per Tomcat security documents the issue is not present in Tomcat 7.
>>> Is there anything wrong in our web application deployment?
>> As documented here:
>> there are two Java system properties that control behavior of Tomcat with regard
to such URLs.  Make sure neither is enabled.
> Just barging in here with my own question : is the above really to be considered as a
Tomcat failure ?

Such automated scanning tools are notorious for false positives.


> The call is made directly to Tomcat from localhost (obviously), which is allowed for
the Manager application.
> The URL, as stated, seems valid to me.  It will just result in "/scripts/../manager/"
being equivalent to "/manager/", and the resulting URL is correct and allowed.
> I fail to see the problem (but I may be missing something).
> The special properties mentioned above address an issue where there is a front-end Apache
server proxying to Tomcat, and which would have only "/scripts/" proxied to Tomcat.
> This would allow the call to be proxied (because it matches "/scripts", and then resolved
by Tomcat to a non-proxied (but valid) context.
> But I think that the case above is different, as there is apparently no proxy involved.
> (And anyway, if this was ever an issue, in my opinion it would have more to do with a
proxy module weakness - or a lax configuration - than with Tomcat per se).
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message