tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Need help to understand CVE-2007-0450
Date Wed, 21 Nov 2012 14:59:03 GMT
Caldarale, Charles R wrote:
>> From: Aditi Sinha [] 
>> Subject: Need help to understand CVE-2007-0450
>> We have a web server hosted on Tomcat 7.0.22.
>> The tool was able to access the Tomcat manager application with the
>> following URL :
>> http://localhost:8080/scripts/\../manager/html
>> As per Tomcat security documents the issue is not present in Tomcat 7.
>> Is there anything wrong in our web application deployment?
> As documented here:
> there are two Java system properties that control behavior of Tomcat with regard to such
URLs.  Make sure neither is enabled.

Just barging in here with my own question : is the above really to be considered as a 
Tomcat failure ?

The call is made directly to Tomcat from localhost (obviously), which is allowed for the 
Manager application.
The URL, as stated, seems valid to me.  It will just result in "/scripts/../manager/" 
being equivalent to "/manager/", and the resulting URL is correct and allowed.

I fail to see the problem (but I may be missing something).

The special properties mentioned above address an issue where there is a front-end Apache

server proxying to Tomcat, and which would have only "/scripts/" proxied to Tomcat.
This would allow the call to be proxied (because it matches "/scripts", and then resolved

by Tomcat to a non-proxied (but valid) context.
But I think that the case above is different, as there is apparently no proxy involved.

(And anyway, if this was ever an issue, in my opinion it would have more to do with a 
proxy module weakness - or a lax configuration - than with Tomcat per se).

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message