Remy Maucherat wrote:
Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
with mod_proxy and mod_jk) configured to only proxy some contexts, a
HTTP request containing strings like "/\../" may allow attackers to work
around the context restriction of the proxy, and access the non-proxied
contexts.
But this is unlikely to happen unless you explicitly add
AllowEncodedSlashes and unless you physically put your webapps
inside ServerRoot so they can be directly access by web server
regardless of proxy used.
The following Java startup options have been added to Tomcat to provide
additional control of the handling of '\' and '%5c' in URLs (both
options default to false):
* -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
* -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
This issue can also be solved by configuring the appropriate URL
handling in the proxy server.
Due to the impossibility to guarantee that all URLs are handled by
Tomcat as they are in proxy servers, Tomcat should always be secured as
if no proxy restricting context access was used.
Comments ?
Makes sense to have those double secured.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
