On 22 Nov 2012, at 07:34, Aditi Sinha <adisinha0...@gmail.com> wrote:
> Hi Mark, Chuck, > > Thanks for the explanation. > > On checking found that, below system properties are set to true by our > application for a requirement. > org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: > true > > org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true > > Is there any other workaround/solution which can help us make our > application secure w.r.t this vulnerability? Maybe I'm missing something, but I'm not sure I've seen evidence that there is a vulnerability and that this isn't a false positive. p > > > Thanks & Regards, > Aditi > > On Wed, Nov 21, 2012 at 8:00 PM, Mark Thomas <ma...@apache.org> wrote: > >> On 21/11/2012 13:40, Aditi Sinha wrote: >>> Hi, >>> >>> We have a web server hosted on Tomcat 7.0.22. >>> >>> There are two connectors defined server.xml listening at port 8080 and >> 8443. >>> During vulnerability scan a 3rd party tool reported CVE-2007-0450 >> “Apache >>> Tomcat Directory Traversal Attack” on both ports 8080 and 8443. >>> The tool was able to access the Tomcat manager application with the >>> following URL : >>> http://localhost:8080/scripts/\../manager/html >>> >>> As per Tomcat security documents the issue is not present in Tomcat 7. >> >> First of all, a clean Tomcat 7.0.22 install will return "400 Bad >> Request" if you try accessing that install. >> >> The problem is that "\" is not a valid character in a URL so Tomcat - >> rightly - complains. >> >> It is possible to get Tomcat to treat "\" as "/" by setting the >> following system property: >> -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true >> >> There is a reason that property is in the security section and that the >> default is "false". Setting it to "true" can have unexpected >> consequences (CVE-2010-0450) when Tomcat is used in conjunction with >> reverse proxies. >> >> If a value of "true" is used then Tomcat will retreat the URL above as >> http://localhost:8080/scripts//../manager/html >> >> which will be normalized to: >> http://localhost:8080/manager/html >> >> Given you appear to be accessing Tomcat directly, even with >> ALLOW_BACKSLASH=true this is not a directory traversal. It is a >> non-normalized URL that is being normalized which is perfectly normal. >> >> Mark >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
