On 21/11/2012 13:40, Aditi Sinha wrote: > Hi, > > We have a web server hosted on Tomcat 7.0.22. > > There are two connectors defined server.xml listening at port 8080 and 8443. > During vulnerability scan a 3rd party tool reported CVE-2007-0450 “Apache > Tomcat Directory Traversal Attack” on both ports 8080 and 8443. > The tool was able to access the Tomcat manager application with the > following URL : > http://localhost:8080/scripts/\../manager/html > > As per Tomcat security documents the issue is not present in Tomcat 7.
First of all, a clean Tomcat 7.0.22 install will return "400 Bad Request" if you try accessing that install. The problem is that "\" is not a valid character in a URL so Tomcat - rightly - complains. It is possible to get Tomcat to treat "\" as "/" by setting the following system property: -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true There is a reason that property is in the security section and that the default is "false". Setting it to "true" can have unexpected consequences (CVE-2010-0450) when Tomcat is used in conjunction with reverse proxies. If a value of "true" is used then Tomcat will retreat the URL above as http://localhost:8080/scripts//../manager/html which will be normalized to: http://localhost:8080/manager/html Given you appear to be accessing Tomcat directly, even with ALLOW_BACKSLASH=true this is not a directory traversal. It is a non-normalized URL that is being normalized which is perfectly normal. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
