tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Need help to understand CVE-2007-0450
Date Thu, 22 Nov 2012 08:47:33 GMT
If you top-post (which is strongly discouraged on this list), it makes it very difficult 
to answer your questions and still leave the whole thing understandable for other people 
who may try to follow this thread.

Aditi Sinha wrote:
> Hi Mark, Chuck,
> Thanks for the explanation.
> On checking found that, below system properties are set to true by our
> application for a requirement.
>                  org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:
> true
> org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true
> Is there any other workaround/solution which can help us make our
> application secure w.r.t this vulnerability?

As Mark tried to point out,

in a standard default Tomcat configuration, this issue would not exist, because

    a) a URL with a "\" in it is an invalid URL, and it would be rejected by a Tomcat 
configured normally. It is only because you explicitly tell Tomcat to act in a 
non-standard way, that the issue occurs with this URL.
So the issue is of your own doing.  If your application has such a requirement, then it is

your application that needs to be corrected, not Tomcat.
To use an analogy : if you knowingly disable the brakes of your car, and then sue the 
manufacturer because you had a road accident because your car didn't stop anymore, chances

are that you will lose the lawsuit. (*)

   b) without the backslash in it, "http://localhost:8080/scripts/../manager/html" is a 
perfectly valid URL, which evaluates to "http://localhost:8080/manager/html", which is a 
valid URL and does *not* involve "directory traversal" of any kind. So it is the program 
that "detects" this so-called vulnerability which is wrong, and obviously there is nothing

that the Tomcat folks can do about this.

   c) in a normal Tomcat setup, the Manager application is protected by an authentication

and access-control mechanism. So a request to "http://localhost:8080/manager/html" would 
lead to a login page or other form of authentication, and would not provide unauthorised 
access to the Manager app. So there is no security weakness issue involved either.

In other words : the logical course of action here would be to tell whoever is running 
this program, that the warning issued by the program is bogus, and tell them that it 
should be ignored. And if they are smart, they will respond that Tomcat should have 
rejected this invalid URL because it has a backslash in it.  And then you will have to 
explain to them that your application requires Tomcat to accept these invalid URLs.

Now if you want a sneaky way to make this particular message go away, and under your own 
reponsibility, you could always uninstall (or rename) the Manager application.  But don't

tell anyone that I said this (and don't even think for a second that it makes the 
fundamental issue go away.)

(*) Although a US tort lawyer might argue in this case that by providing these special 
Java options to disable the brakes, the Tomcat developers are complicit with the users who

use them, and thus liable for a million-dollar emotional distress compensation payment.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message