Remy Maucherat wrote:
-1 for the report summary posted at:
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
It is highly misleading.
(moving to dev list since it's obviously not confidential)
In particular, the beginning is wrong IMO:
"Tomcat permits both '\' and '%5C' as path delimiters. A HTTP request
containing strings like "/\../" allow attackers to break out of the
given context."
implies that "/\../" is special, would do something to standlone Tomcat,
could be used to browse the HD, etc. The rest then goes into the proxy
situation, which should be the only thing being described.
Reworked text:
Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
with mod_proxy and mod_jk) configured to only proxy some contexts, a
HTTP request containing strings like "/\../" may allow attackers to work
around the context restriction of the proxy, and access the non-proxied
contexts.
The following Java startup options have been added to Tomcat to provide
additional control of the handling of '\' and '%5c' in URLs (both
options default to false):
* -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
* -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
This issue can also be solved by configuring the appropriate URL
handling in the proxy server.
Due to the impossibility to guarantee that all URLs are handled by
Tomcat as they are in proxy servers, Tomcat should always be secured as
if no proxy restricting context access was used.
Comments ?
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
