Author: remm
Date: Tue Mar 20 08:21:10 2007
New Revision: 520427
URL: http://svn.apache.org/viewvc?view=rev&rev=520427
Log:
- Clarify the '\' security issue.
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=520427&r1=520426&r2=520427
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Tue Mar 20 08:21:10 2007
@@ -246,15 +246,16 @@
CVE-2007-0450</a>
</p>
- <p>Tomcat permits both '\' and '%5C' as path delimiters. A HTTP request
- containing strings like "/\../" allow attackers to break out of the
given
- context. Additionally, when using Tomcat behind a proxy configured to
- only proxy some contexts this permits access to non-proxied contexts.
- When used behind a proxy it is recommended that Tomcat is secured as if
- the proxy were not present.</p>
+ <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used
+ behind a proxy (including, but not limited to, Apache HTTP server with
+ mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP
request
+ containing strings like "/\../" may allow attackers to work around the
context
+ restriction of the proxy, and access the non-proxied contexts.
+ </p>
- <p>The following Java startup options have been added to Tomcat to provide
- additional control of the handling of '\' and '%5c' in URLs:
+ <p>The following Java startup options have been added to Tomcat to provide
+ additional control of the handling of '\' and '%5c' in URLs (both
options
+ default to false):
<ul>
<li>
<code>
@@ -267,7 +268,11 @@
</code>
</li>
</ul>
- These options default to false.
+ </p>
+
+ <p>Due to the impossibility to guarantee that all URLs are handled by
Tomcat as
+ they are in proxy servers, Tomcat should always be secured as if no
proxy
+ restricting context access was used.
</p>
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?view=diff&rev=520427&r1=520426&r2=520427
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Tue Mar 20 08:21:10 2007
@@ -269,15 +269,16 @@
CVE-2007-0450</a>
</p>
- <p>Tomcat permits both '\' and '%5C' as path delimiters. A HTTP request
- containing strings like "/\../" allow attackers to break out of the
given
- context. Additionally, when using Tomcat behind a proxy configured to
- only proxy some contexts this permits access to non-proxied contexts.
- When used behind a proxy it is recommended that Tomcat is secured as if
- the proxy were not present.</p>
+ <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used
+ behind a proxy (including, but not limited to, Apache HTTP server with
+ mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP
request
+ containing strings like "/\../" may allow attackers to work around the
context
+ restriction of the proxy, and access the non-proxied contexts.
+ </p>
- <p>The following Java startup options have been added to Tomcat to provide
- additional control of the handling of '\' and '%5c' in URLs:
+ <p>The following Java startup options have been added to Tomcat to provide
+ additional control of the handling of '\' and '%5c' in URLs (both
options
+ default to false):
<ul>
<li>
<code>
@@ -290,7 +291,11 @@
</code>
</li>
</ul>
- These options default to false.
+ </p>
+
+ <p>Due to the impossibility to guarantee that all URLs are handled by
Tomcat as
+ they are in proxy servers, Tomcat should always be secured as if no
proxy
+ restricting context access was used.
</p>
<p>Affects: 5.5.0-5.5.21, 5.0.0-5.0.30</p>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?view=diff&rev=520427&r1=520426&r2=520427
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Tue Mar 20 08:21:10 2007
@@ -269,15 +269,16 @@
CVE-2007-0450</a>
</p>
- <p>Tomcat permits both '\' and '%5C' as path delimiters. A HTTP request
- containing strings like "/\../" allow attackers to break out of the
given
- context. Additionally, when using Tomcat behind a proxy configured to
- only proxy some contexts this permits access to non-proxied contexts.
- When used behind a proxy it is recommended that Tomcat is secured as if
- the proxy were not present.</p>
+ <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used
+ behind a proxy (including, but not limited to, Apache HTTP server with
+ mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP
request
+ containing strings like "/\../" may allow attackers to work around the
context
+ restriction of the proxy, and access the non-proxied contexts.
+ </p>
- <p>The following Java startup options have been added to Tomcat to provide
- additional control of the handling of '\' and '%5c' in URLs:
+ <p>The following Java startup options have been added to Tomcat to provide
+ additional control of the handling of '\' and '%5c' in URLs (both
options
+ default to false):
<ul>
<li>
<code>
@@ -290,7 +291,11 @@
</code>
</li>
</ul>
- These options default to false.
+ </p>
+
+ <p>Due to the impossibility to guarantee that all URLs are handled by
Tomcat as
+ they are in proxy servers, Tomcat should always be secured as if no
proxy
+ restricting context access was used.
</p>
<p>Affects: 6.0.0-6.0.9</p>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=520427&r1=520426&r2=520427
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Tue Mar 20 08:21:10 2007
@@ -46,15 +46,16 @@
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
CVE-2007-0450</a></p>
- <p>Tomcat permits both '\' and '%5C' as path delimiters. A HTTP request
- containing strings like "/\../" allow attackers to break out of the
given
- context. Additionally, when using Tomcat behind a proxy configured to
- only proxy some contexts this permits access to non-proxied contexts.
- When used behind a proxy it is recommended that Tomcat is secured as if
- the proxy were not present.</p>
+ <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used
+ behind a proxy (including, but not limited to, Apache HTTP server with
+ mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP
request
+ containing strings like "/\../" may allow attackers to work around the
context
+ restriction of the proxy, and access the non-proxied contexts.
+ </p>
- <p>The following Java startup options have been added to Tomcat to provide
- additional control of the handling of '\' and '%5c' in URLs:
+ <p>The following Java startup options have been added to Tomcat to provide
+ additional control of the handling of '\' and '%5c' in URLs (both
options
+ default to false):
<ul>
<li><code>
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
@@ -63,7 +64,11 @@
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
</code></li>
</ul>
- These options default to false.
+ </p>
+
+ <p>Due to the impossibility to guarantee that all URLs are handled by
Tomcat as
+ they are in proxy servers, Tomcat should always be secured as if no
proxy
+ restricting context access was used.
</p>
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?view=diff&rev=520427&r1=520426&r2=520427
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Tue Mar 20 08:21:10 2007
@@ -48,15 +48,16 @@
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
CVE-2007-0450</a></p>
- <p>Tomcat permits both '\' and '%5C' as path delimiters. A HTTP request
- containing strings like "/\../" allow attackers to break out of the
given
- context. Additionally, when using Tomcat behind a proxy configured to
- only proxy some contexts this permits access to non-proxied contexts.
- When used behind a proxy it is recommended that Tomcat is secured as if
- the proxy were not present.</p>
+ <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used
+ behind a proxy (including, but not limited to, Apache HTTP server with
+ mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP
request
+ containing strings like "/\../" may allow attackers to work around the
context
+ restriction of the proxy, and access the non-proxied contexts.
+ </p>
- <p>The following Java startup options have been added to Tomcat to provide
- additional control of the handling of '\' and '%5c' in URLs:
+ <p>The following Java startup options have been added to Tomcat to provide
+ additional control of the handling of '\' and '%5c' in URLs (both
options
+ default to false):
<ul>
<li><code>
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
@@ -65,7 +66,11 @@
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
</code></li>
</ul>
- These options default to false.
+ </p>
+
+ <p>Due to the impossibility to guarantee that all URLs are handled by
Tomcat as
+ they are in proxy servers, Tomcat should always be secured as if no
proxy
+ restricting context access was used.
</p>
<p>Affects: 5.5.0-5.5.21, 5.0.0-5.0.30</p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?view=diff&rev=520427&r1=520426&r2=520427
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Tue Mar 20 08:21:10 2007
@@ -48,15 +48,16 @@
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
CVE-2007-0450</a></p>
- <p>Tomcat permits both '\' and '%5C' as path delimiters. A HTTP request
- containing strings like "/\../" allow attackers to break out of the
given
- context. Additionally, when using Tomcat behind a proxy configured to
- only proxy some contexts this permits access to non-proxied contexts.
- When used behind a proxy it is recommended that Tomcat is secured as if
- the proxy were not present.</p>
+ <p>Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used
+ behind a proxy (including, but not limited to, Apache HTTP server with
+ mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP
request
+ containing strings like "/\../" may allow attackers to work around the
context
+ restriction of the proxy, and access the non-proxied contexts.
+ </p>
- <p>The following Java startup options have been added to Tomcat to provide
- additional control of the handling of '\' and '%5c' in URLs:
+ <p>The following Java startup options have been added to Tomcat to provide
+ additional control of the handling of '\' and '%5c' in URLs (both
options
+ default to false):
<ul>
<li><code>
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true|false
@@ -65,7 +66,11 @@
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true|false
</code></li>
</ul>
- These options default to false.
+ </p>
+
+ <p>Due to the impossibility to guarantee that all URLs are handled by
Tomcat as
+ they are in proxy servers, Tomcat should always be secured as if no
proxy
+ restricting context access was used.
</p>
<p>Affects: 6.0.0-6.0.9</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
