Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 80834DEA5 for ; Wed, 21 Nov 2012 18:18:14 +0000 (UTC) Received: (qmail 84311 invoked by uid 500); 21 Nov 2012 18:18:10 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 84253 invoked by uid 500); 21 Nov 2012 18:18:10 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 84242 invoked by uid 99); 21 Nov 2012 18:18:10 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Nov 2012 18:18:10 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of pid@pidster.com designates 209.85.219.45 as permitted sender) Received: from [209.85.219.45] (HELO mail-oa0-f45.google.com) (209.85.219.45) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Nov 2012 18:18:05 +0000 Received: by mail-oa0-f45.google.com with SMTP id i18so9603892oag.18 for ; Wed, 21 Nov 2012 10:17:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pidster.com; s=google; h=references:from:in-reply-to:mime-version:date:message-id:subject:to :content-type:content-transfer-encoding; bh=/ZhFyN0PyE1QD3t0eYf5CRs/Ghnx81uPRMebuU4pAT8=; b=bMNbMMoY7WRtexMzfhohphK4/DyqUTGZMoFZHnK963bvuPeBjcae9qLAX3Rm+bduBz SaTwb1ox7P2AFLWyVEyYqjuk2Q0hEqyGvhNmq3pUzDGb1Ly9iyec1jLaLfe+vRqOU/QZ gMVQ0Kfy2NL6I/Np69YjS0frev5q4Z0zbrchQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:from:in-reply-to:mime-version:date:message-id:subject:to :content-type:content-transfer-encoding:x-gm-message-state; bh=/ZhFyN0PyE1QD3t0eYf5CRs/Ghnx81uPRMebuU4pAT8=; b=AH0y7Pt5BSChiPBr8G9vh04T5sNbWdIoE4boyyrW3UUe2j+5P1k1B+vLlFrMR+qyGo W2ojAB+lZZV9wNZ32O5+j4HHAcSZ9dzY9ySW+K0nJ3PJkRZsyoUHdf7vfV2uQN9xLQOf gff4SlM7O9A7yijrXx54wShk4Sz2Q097b8DdZD/R3M9wVQFMdysIKybMB2cBMCC+/uPh 5c1kJWh6HoBYmObVeJbwcO04tDJgYHJBkYoxxJe3v1cTdJjmIFPB85MXcgVNshJ+pck2 Aso6bBVMM1OrnwBt8trzeqKeFZzrJb4Vj84Zo/gtUX8IA7/TEOatYL1WM3tODM11Uh7O 2+Bw== Received: by 10.60.32.69 with SMTP id g5mr8416087oei.21.1353521863751; Wed, 21 Nov 2012 10:17:43 -0800 (PST) References: <99C8B2929B39C24493377AC7A121E21FC48F48F2E9@USEA-EXCH8.na.uis.unisys.com> <50ACEC37.8040102@ice-sa.com> From: "Pid *" In-Reply-To: <50ACEC37.8040102@ice-sa.com> Mime-Version: 1.0 (1.0) Date: Wed, 21 Nov 2012 18:18:48 +0000 Message-ID: <-5150434621011082943@unknownmsgid> Subject: Re: Need help to understand CVE-2007-0450 To: Tomcat Users List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQm7q2F7yhf8s8QYE9C/P6toCRSF8nGuaaRu8aLATcpT1Rgoy7DOiCQ56btTLpz5L8FkSMg/ X-Virus-Checked: Checked by ClamAV on apache.org On 21 Nov 2012, at 14:59, "Andr=C3=A9 Warnier" wrote: > Caldarale, Charles R wrote: >>> From: Aditi Sinha [mailto:adisinha0423@gmail.com] Subject: Need help to= understand CVE-2007-0450 >>> We have a web server hosted on Tomcat 7.0.22. >>> The tool was able to access the Tomcat manager application with the >>> following URL : What scanning tool, exactly? How can I reproduce this? >>> http://localhost:8080/scripts/\../manager/html >>> As per Tomcat security documents the issue is not present in Tomcat 7. >>> Is there anything wrong in our web application deployment? >> As documented here: >> http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 >> there are two Java system properties that control behavior of Tomcat wit= h regard to such URLs. Make sure neither is enabled. > > Just barging in here with my own question : is the above really to be con= sidered as a Tomcat failure ? Such automated scanning tools are notorious for false positives. p > The call is made directly to Tomcat from localhost (obviously), which is = allowed for the Manager application. > The URL, as stated, seems valid to me. It will just result in "/scripts/= ../manager/" being equivalent to "/manager/", and the resulting URL is corr= ect and allowed. > > I fail to see the problem (but I may be missing something). > > The special properties mentioned above address an issue where there is a = front-end Apache server proxying to Tomcat, and which would have only "/scr= ipts/" proxied to Tomcat. > This would allow the call to be proxied (because it matches "/scripts", a= nd then resolved by Tomcat to a non-proxied (but valid) context. > But I think that the case above is different, as there is apparently no p= roxy involved. > > (And anyway, if this was ever an issue, in my opinion it would have more = to do with a proxy module weakness - or a lax configuration - than with Tom= cat per se). > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org