On 01/02/2023 21:51, James H. H. Lampert wrote:
On 2/1/23 12:06 PM, Mark Thomas wrote:
The pen tester requested "/app/..;/manager"
The proxy passed that as is to Tomcat since it starts with "/app"
Thanks.
As it happens, this particular customer was the first one in which I
tried putting the only IP addresses with any business accessing manager
into its remote address valve, instead of just commenting out the valve.
I tried that syntax in a browser, from an IP address that's allowed to
access manager, and it got in.
I then tried it in a browser on my Chromebook, going through my cell
phone's hotspot (which would definitely NOT have a permitted address),
and it didn't even get to the sign-on panel before kicking me out with
an error message.
ACK.
Providing the proxy and Tomcat are configured such that Tomcat sees the
real client IP rather than the proxy IP that should be fine.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
