William A. Rowe, Jr. wrote:
Mladen Turk wrote:
Remy Maucherat wrote:
Tomcat permits both '\' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
with mod_proxy and mod_jk) configured to only proxy some contexts, a
HTTP request containing strings like "/\../" may allow attackers to
work around the context restriction of the proxy, and access the
non-proxied contexts.
You neglected to mention %2F - a significant identical issue.
Ok, it's fixed.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
