HOWTO: the right way to configure security constraints to protect CGI scripts in web.xml
Dear users and supporters, Currently I have two CGI scripts: 1. "/cgi-bin/update" //an administrative command, required role="admin" 2. "/cgi-bin/updateOrder" //update order, required role="biz" In order to protect above endpoints via web.xml security-constraints mechanism, how shall I do? Regards, Chenjp
Re: HOWTO: the right way to configure security constraints to protect CGI scripts in web.xml
Hi,
Per jsp-url per servlet is never on the menu.
The difference between CGI Servlet and JSP Servlet is the script file search
mechanism. e.g. two requests, "/xxx/update" and "/xxx/update/abc" are mapping
into two different JSP script files if ruled by JSP Servlet. Unfortunately,
the different requests are mapping to the same CGI script file if ruled by CGI
Servlet and /xxx/update lookup succeeded.
For those cgi part, suggest enhance url-pattern ("/cgi-bin/update" +
"/cgi-bin/update/*") for each specific security-constraint, e.g.:
```xml
admin-stuff
/cgi-bin/update
/cgi-bin/update/*
admin
```
Full web.xml for reference:
http://www.w3.org/2001/XMLSchema-instance";
xmlns="https://jakarta.ee/xml/ns/jakartaee";
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee
https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd";
id="WebApp_ID" version="6.0">
sec-lab
cgi
org.apache.catalina.servlets.CGIServlet
cgiPathPrefix
/WEB-INF/cgi
executable
C:\Perl\strawberry\perl\bin\perl.exe
5
cgi
/cgi-bin/*
CGI-protected-area
/cgi-bin/*
staff
admin-stuff
/cgi-bin/update
/cgi-bin/update/*
admin
biz-stuff
/cgi-bin/updateOrder
/cgi-bin/updateOrder/*
biz
BASIC
SecurityLab
The role is required to access cgi scripts
staff
The role is required to access administrative cgi
scripts
admin
The role is required to access biz purpose cgi
scripts
biz
Chenjp
From: Christopher Schultz
Sent: Thursday, April 10, 2025 2:22
To: users@tomcat.apache.org
Subject: Re: HOWTO: the right way to configure security constraints to protect
CGI scripts in web.xml
Mark,
On 4/8/25 5:40 PM, Mark Thomas wrote:
> 8 Apr 2025 21:45:50 Christopher Schultz :
>
>> Justin,
>>
>> On 4/8/25 3:16 AM, Justin Chen wrote:
>>> Dear users and supporters,
>>> Currently I have two CGI scripts:
>>> 1. "/cgi-bin/update" //an administrative command, required role="admin"
>>> 2. "/cgi-bin/updateOrder" //update order, required role="biz"
>>> In order to protect above endpoints via web.xml security-constraints
>>> mechanism, how shall I do?
>>
>> It should be as simple as this in your web.xml:
>
> Whether the below is correct depends on how the CGI Servlet is mapped.
> And the OP hasn't provided that information.
+1
I first wrote, then deleted three paragraphs on that exact topic before
sending my reply. I didn't want to go into too much detail because it
really depends upon the use case.
The best thing to do is declare exactly one CGI script per url-pattern,
then match all security constraints matching each of those url-patterns.
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HOWTO: the right way to configure security constraints to protect CGI scripts in web.xml
Hi Mark and Chris, As suggested, updated configurations as follows: security-tomcat-2025 cgi org.apache.catalina.servlets.CGIServlet cgiPathPrefix /WEB-INF/cgi executable C:\Perl\strawberry\perl\bin\perl.exe 5 cgi /cgi-bin/* admin-stuff /cgi-bin/update admin biz-stuff /cgi-bin/updateOrder biz Is it an appropriate security constraints and secure enough for CGI? Chenjp From: Mark Thomas Sent: Wednesday, April 9, 2025 5:40 To: Tomcat Users List Subject: Re: HOWTO: the right way to configure security constraints to protect CGI scripts in web.xml 8 Apr 2025 21:45:50 Christopher Schultz : > Justin, > > On 4/8/25 3:16 AM, Justin Chen wrote: >> Dear users and supporters, >> Currently I have two CGI scripts: >> 1. "/cgi-bin/update" //an administrative command, required >> role="admin" >> 2. "/cgi-bin/updateOrder" //update order, required role="biz" >> In order to protect above endpoints via web.xml security-constraints >> mechanism, how shall I do? > > It should be as simple as this in your web.xml: Whether the below is correct depends on how the CGI Servlet is mapped. And the OP hasn't provided that information. Mark > > > > > > >admin-stuff >/cgi-bin/update > > >admin > > > > > >biz-stuff >/cgi-bin/updateOrder > > >biz > > > > > -chris > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem when put a one-byte file partially
hi, Main branch: Receive unexpected 400 for curl put with content-range header value "bytes 0-0/1" and -d c. PR submitted. Regards, Chenjp
Re: [SECURITY] CVE-2025-46701 Apache Tomcat - CGI security constraint bypass
Per original reports from Greg K, pathInfo is not the only weakness. From: Mark Thomas Sent: Friday, May 30, 2025 3:02 To: Tomcat Users List Cc: annou...@apache.org; annou...@tomcat.apache.org; Tomcat Developers List Subject: [SECURITY] CVE-2025-46701 Apache Tomcat - CGI security constraint bypass CVE-2025-46701 Apache Tomcat - CGI security constraint bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.6 Apache Tomcat 10.1.0-M1 to 10.1.40 Apache Tomcat 9.0.0.M1 to 9.0.104 Description: When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.7 or later - Upgrade to Apache Tomcat 10.1.41 or later - Upgrade to Apache Tomcat 9.0.105 or later Credit: The vulnerability was identified by Greg K (https://github.com/gregk4sec) History: 2025-05-29 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
