On 01/02/2023 18:48, James H. H. Lampert wrote:
We got this from a customer who did a security scan:
A Tomcat Manager login panel was discovered via path normalization.
Normalizing a path involves modifying the string that identifies a
path or file so that it conforms to a valid path on the target
operating system.
QID Detection Logic: This QID sends a HTTP GET request with /..;/
payload and based on the response confirms if the target is
vulnerable.
Remediation notes
Customers are advised to configure the reverse proxy to reject paths
that contain the Tomcat path parameter character ;
This sounds to me like something external to Tomcat, and external to the
box Tomcat is running on. Would that be correct?
Yes. The customer has a reverse proxy (such as httpd, nginx etc). The
issue will be something like:
Tomcat has contexts "/app", "/manager" and possibly others deployed.
proxy is configured to proxy "/app" to Tomcat
The pen tester requested "/app/..;/manager"
The proxy passed that as is to Tomcat since it starts with "/app"
Tomcat normalized that using Servlet normalization rules (with are not
the same as HTTP normalization rules) and got "/manager" so the request
was mapped to the manager app.
Possible mitigations:
1. Remove the manager app from the Tomcat instance
2. Configure the proxy to reject "suspicious" URIs like the one in this
case. There is a useful list of suspicious URIs in the Servlet 6.0 spec.
Newer versions of httpd have a config setting to normalize proxied URIUs
using the Servlet rules - that also avoids this issue.
3. Upgrade to Tomcat 10 where such suspicious URIs are rejected by default.
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
