tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aditi Sinha <adisinha0...@gmail.com>
Subject Re: Need help to understand CVE-2007-0450
Date Thu, 22 Nov 2012 07:34:16 GMT
Hi Mark, Chuck,


Thanks for the explanation.

On checking found that, below system properties are set to true by our
application for a requirement.


                 org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:
true


org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true



Is there any other workaround/solution which can help us make our
application secure w.r.t this vulnerability?


Thanks & Regards,
Aditi

On Wed, Nov 21, 2012 at 8:00 PM, Mark Thomas <markt@apache.org> wrote:

> On 21/11/2012 13:40, Aditi Sinha wrote:
> > Hi,
> >
> > We have a web server hosted on Tomcat 7.0.22.
> >
> > There are two connectors defined server.xml listening at port 8080 and
> 8443.
> > During vulnerability scan a 3rd party tool reported  CVE-2007-0450
> “Apache
> > Tomcat Directory Traversal Attack” on both ports 8080 and 8443.
> > The tool was able to access the Tomcat manager application with the
> > following URL :
> > http://localhost:8080/scripts/\../manager/html
> >
> > As per Tomcat security documents the issue is not present in Tomcat 7.
>
> First of all, a clean Tomcat 7.0.22 install will return "400 Bad
> Request" if you try accessing that install.
>
> The problem is that "\" is not a valid character in a URL so Tomcat -
> rightly - complains.
>
> It is possible to get Tomcat to treat "\" as "/" by setting the
> following system property:
> -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true
>
> There is a reason that property is in the security section and that the
> default is "false". Setting it to "true" can have unexpected
> consequences (CVE-2010-0450) when Tomcat is used in conjunction with
> reverse proxies.
>
> If a value of "true" is used then Tomcat will retreat the URL above as
> http://localhost:8080/scripts//../manager/html
>
> which will be normalized to:
> http://localhost:8080/manager/html
>
> Given you appear to be accessing Tomcat directly, even with
> ALLOW_BACKSLASH=true this is not a directory traversal. It is a
> non-normalized URL that is being normalized which is perfectly normal.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message