On 05/07/2023 20:15, James Boggs wrote:
Hello,
I was sent this information, I hope this meets your expectations.
Thanks. It does.
The request headers do not contain an invalid Content-Length header so
CVE-2022-42252 is not applicable to this situation.
The requests are valid HTTP requests (unless I missed something) so
something would have to be severely broken for there to be request
smuggling.
I have tested the request on a clean build of Tomcat 9.0.73 and Tomcat
correctly redirects to https://rplans.army.mil/ for both requests.
You may want to look at the proxy rather than Tomcat.
To figure out what is going on you are going to need to look at the
network traces for both the client<->proxy link and the proxy<->tomcat link.
Mark
-----------------------------------------------------------------------------------------
Request 1
GET / HTTP/1.1
Host: rplans.army.mil
Accept-Encoding: gzip, deflate
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="113", "Chromium";v="113"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 61
Cookie: ai_user=zah6PVBAYp+ILUaHTr/CZn|2023-06-27T16:40:26.575Z;
ai_session=4yP6RgcdmaqsiFQJVdym6I|1687884026682|1687884026682;
_ga=GA1.2.1707569457.1687904638; _gid=GA1.2.1713949416.1687904638; _gat=1
GET /j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp HTTP/1.1
X: kyhzap9frc
Response 1
HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://rplans.army.mil/
Date: Wed, 28 Jun 2023 01:37:07 GMT
Connection: Keep-Alive
Request 2
GET / HTTP/1.1
Host: rplans.army.mil
Accept-Encoding: gzip, deflate
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="113", "Chromium";v="113"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 61
Cookie: ai_user=zah6PVBAYp+ILUaHTr/CZn|2023-06-27T16:40:26.575Z;
ai_session=4yP6RgcdmaqsiFQJVdym6I|1687884026682|1687884026682;
_ga=GA1.2.1707569457.1687904638; _gid=GA1.2.1713949416.1687904638; _gat=1
GET /j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp HTTP/1.1
X: kyhzap9frc
Response 2
HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://rplans.army.mil/j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp
Date: Wed, 28 Jun 2023 01:37:09 GMT
Connection: Keep-Alive
-------------------------------------------------------------------------------------------------------------------------
V/r,
James Boggs | Senior DBA/SA | Mobile: 571-337-0535
“Trust, Integrity, Loyalty to Our Customers, Employees and Partner”
VA Verified (SDVOSB) | SBA Certified 8(a) | SB | SDB | MBE/DBE (MD) | SWaM (VA)
ISO 9001:2015|ISO/IEC 20000-1:2018|ISO/IEC 27001:2013|
CMMI-DEV Level 3 Appraised |
GSA Schedule Holder: IT-70#:GS35F237AA
GSA 8(a) STARS III#: 47QTCB21D0030
CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
Seaport-NXG Contract#: N00178-19-D-8420
eFAST Contract#: DTFAWA-13-A-00074
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, July 5, 2023 12:59 PM
To: users@tomcat.apache.org
Subject: Re: Apache Tomcat request smuggling in 9.0.68?
Without knowing which vulnerability is being tested for and how the
vulnerability is being tested for I don't think anyone here will be able to
help.
A (cleartext) tcpdump of the associated request(s) and response(s) would also
be helpful.
Mark
On 05/07/2023 17:51, James Boggs wrote:
Hi,
We have Apache Tomcat 0.0.73 installed on a Windows Server 2019 o/s
which is has a Request Smuggling vulnerability being reported in a
BURP scan.
Here Tomcat documentation reports Request Smuggling has been fixed in
9.0.68, so we don’t understand why it would still be reported using 9.0.73.
Any insights on this?
We have been told the proxy in use only supports HTTP1, so HTTP2 is
not an option.
V/r,
James Boggs | Senior DBA/SA | Mobile: 571-337-0535 /“Trust, Integrity,
Loyalty to Our Customers, Employees and Partner”/ */VA Verified
(SDVOSB)/* | */SBA Certified 8(a)/* | */SB/* | */SDB/* | */MBE/DBE
(MD)/* | */SWaM (VA)/*
I*SO* 9001:2015|*ISO/IEC* 20000-1:2018|*ISO/IEC* 27001:2013|
*CMMI-DEV* Level 3 Appraised |
GSA Schedule Holder: IT-70#:GS35F237AA
GSA 8(a) STARS III#: 47QTCB21D0030
CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
Seaport-NXG Contract#: N00178-19-D-8420
eFAST Contract#: DTFAWA-13-A-00074
Fax: 410-814-7539 _|jbo...@rightdirectiontech.com
<mailto:|jbo...@rightdirectiontech.com>_
RightDirection Technology Solutions, LLC | 300 E. Lombard St Suite 840
| Baltimore, MD 21202|
www.rightdirectiontech.com <http://www.rightdirectiontech.com/>
Please Go Green! Please do not print this e-mail unless necessary.
Notice of Confidentiality: This e-mail and any attachments thereto,
are intended only for use by the addressee(s) named herein and may
contain legally privileged and/or confidential information. If you are
not the intended recipient of this e-mail (or the person responsible
for delivering this document to the intended recipient), you are
hereby notified that any dissemination, distribution, printing or
copying of this e-mail, and any attachment thereto, is strictly
prohibited. If you have received this e-mail in error, please respond
to the individual sending the message, and permanently delete the
original and any copy of any e-mail and printout thereof.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
