Mladen Turk wrote:
Remy Maucherat wrote:
Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
with mod_proxy and mod_jk) configured to only proxy some contexts, a
HTTP request containing strings like "/\../" may allow attackers to
work around the context restriction of the proxy, and access the
non-proxied contexts.
But this is unlikely to happen unless you explicitly add
AllowEncodedSlashes and unless you physically put your webapps
inside ServerRoot so they can be directly access by web server
regardless of proxy used.
This may depend on the platform, and it could apply to any proxy. It's
very similar to the content-length thingie.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
