There isn't anything here that indicates there there is a problem for
Tomcat to solve.
You appear to be using a tool provided by Cisco. I suggest you contact
Cisco for support.
If you still believe that there is a Tomcat issue here please provide:
- Full details (including HTTP headers) of a request that triggers the
issue
- Full details of how the response differs from what you expect
Generally, I'll note that in the default configuration, Tomcat will
route all requests to the default host irrespective of the value
presented in the Host header.
Mark
On 14/12/2022 13:00, Ragavendhiran Bhiman (rabhiman) wrote:
Hi All,
I am facing one issue related to host header manipulation changing the host
header is chaning the url itself. This attack is done via the burp suite tool.
I have copied the current configuration here as you could see the default
hostname is defined and apBase is provided.
The attack is happening only before the admin login page. Any pages displayed
after the login the host header manipulation is not happening. Kindly advise me
how to fix this problem from apache side.
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- This Realm uses the UserDatabase configured in the global
JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<!-- <Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>-->
<Realm className="com.cisco.cpm.infra.realm.AdminRealm"/>
<Valve className="org.apache.catalina.valves.MethodsValve"
methodsSupported="GET,POST,PUT,DELETE,HEAD" />
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!-- CSCtn68389 enable the SSO Vlave in order to avoid
repetetavie REST authentications throgh AdminRealm. By enabling the Valve,
The Authenticate Methos in the Realm is being Invoked
only once and after that, tomcat sends a jsessionidsso cookie to the client.
The Client sends the jsessionidsso back in each request so
tomcat can map the request to a live session without the need to authenticate.
-->
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
<Valve className="com.cisco.ise.tomcat.valves.GuestVlanUrlRedirectValve"
/>
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html -->
<!-- <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
Thanks & Regards,
Raghav
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
