+1, Jep, this explain better the real problem :-)
Peter
Am 20.03.2007 um 15:10 schrieb Remy Maucherat:
Remy Maucherat wrote:
-1 for the report summary posted at:
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
It is highly misleading.
(moving to dev list since it's obviously not confidential)
In particular, the beginning is wrong IMO:
"Tomcat permits both '\' and '%5C' as path delimiters. A HTTP
request containing strings like "/\../" allow attackers to break
out of the given context."
implies that "/\../" is special, would do something to standlone
Tomcat, could be used to browse the HD, etc. The rest then goes
into the proxy situation, which should be the only thing being
described.
Reworked text:
Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat
is used behind a proxy (including, but not limited to, Apache HTTP
server with mod_proxy and mod_jk) configured to only proxy some
contexts, a HTTP request containing strings like "/\../" may allow
attackers to work around the context restriction of the proxy, and
access the non-proxied contexts.
The following Java startup options have been added to Tomcat to
provide additional control of the handling of '\' and '%5c' in URLs
(both options default to false):
* -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
* -
Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|
false
This issue can also be solved by configuring the appropriate URL
handling in the proxy server.
Due to the impossibility to guarantee that all URLs are handled by
Tomcat as they are in proxy servers, Tomcat should always be
secured as if no proxy restricting context access was used.
Comments ?
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
