Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Thanks a lot for the clear explanation, Mark. I have all my questions answered, appreciate your help & you guys are Great! My apologies for the previous follow-up emails, I am still a novice in tomcat & failed in understanding the exact fix quicker. regards Harish Krishnan On Wed, Mar 16, 2016 at 4:38 AM, Mark Thomas wrote: > On 15/03/2016 20:58, Harish Krishnan wrote: > > Hello There, > > > > I am kind of blocked here in my project while applying your CVE fix in > our > > product & verify the fix. Any guidelines on what i am doing (mentioned in > > my previous email) wrong is highly appreciated. > > You are failing to follow the hints you have been given previously. > > > All i am trying to do is, disable the redirect for the root (Ex: > /manager & > > /examples in tomcat) of the webapp. If i know how to do this on the > > mentioned tomcat webapps, then i can apply the same for my webapps too. > > Looking for your response & help here. > > You CAN NOT disable the redirect. As the documentation for the two > redirect options makes clear, all they do is change WHERE the redirect > happens. > > The key point in all of this is that security constraints are applied > AFTER the Mapper and BEFORE the DefaultServlet. If the request is for a > protected resource and the redirects take place in the Mapper, then the > response will confirm whether that resource exists irrespective of > whether or not the user is authorized to access the resource. If the > redirect takes place in the Default Servlet, the response will reflect > the security constraints and the user's access rights if any. > > Again, you need to look at the security constraints for the Manager > application. /manager is NOT a protected resource so the redirect is > always going to happen. > > Mark > > > > > > > > regards > > Harish Krishnan > > > > On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan > > wrote: > > > >> Thanks again for the reply, Chris & Violeta! > >> Thanks for clarifying what the "protected directory" is, even i guessed > it > >> to be same. Now i understood the fix for the directories protected by a > >> security constraint. I also verified this & the redirect is no more > >> happening for these protected ones. Really appreciate your help here. > >> > >> However, i am still unable to disable the redirect for the root of the > >> webapp. This is what i did on the latest tomcat build (7.0.68) - > >> > >> a) Set the context attribute (mapperContextRootRedirectEnabled) to false > >> for manager webapp. Here is my context.xml (from > >> \webapps\manager\META-INF\) file - > >> > >> >> antiResourceLocking="false" privileged="true" > > >> > >> > >> b) Accessing http://localhost:8080/manager gets redirected to manger/. > >> > >> c) I have also set the above context attribute in the default > context.xml > >> (from \conf\context.xml) file as well. > >> > >> d) Accessing http://localhost:8080/examples gets redirected to > examples/. > >> > >> Not sure what i am missing here. Same behavior is seen on my web > >> application too. > >> Please let me know where i am doing wrong & help me on how to disable > the > >> redirect for the root of webapps. > >> > >> > >> regards > >> Harish Krishnan > >> > >> > >> > >> > >> > >> > >> > >> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < > >> ch...@christopherschultz.net> wrote: > >> > >>> Harish, > >>> > >>> On 3/8/16 5:47 PM, Harish Krishnan wrote: > Thanks Chris for the reply. > Looks like my understanding of the fix is incorrect. > I assumed (my bad) that, with the fix for this CVE in place (tomcat > 7.0.68) + setting the additional context attribute > (mapperContextRootRedirectEnabled="false"), all the redirects for that > webapp where context attribute was set, will completely be disabled. > You mentioned that only "protected directories" inside the deployed > web > application is covered in this CVE fix. > Can you please help me understand what this protected directories are > & > >>> how > to configure this in tomcat ? > >>> > >>> A "protected directory" is one that has a in > >>> web.xml. That's not a spec-defined term... just one we've been using > >>> because it captures the meaning with fewer words. > >>> > >>> As for the redirects you are seeing that "expose" the availability of a > >>> particular web application, those are essentially impossible to > prevent, > >>> and not considered a part of the CVE. > >>> > >>> -chris > >>> > >>> - > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >>> > >> > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
On 15/03/2016 20:58, Harish Krishnan wrote: > Hello There, > > I am kind of blocked here in my project while applying your CVE fix in our > product & verify the fix. Any guidelines on what i am doing (mentioned in > my previous email) wrong is highly appreciated. You are failing to follow the hints you have been given previously. > All i am trying to do is, disable the redirect for the root (Ex: /manager & > /examples in tomcat) of the webapp. If i know how to do this on the > mentioned tomcat webapps, then i can apply the same for my webapps too. > Looking for your response & help here. You CAN NOT disable the redirect. As the documentation for the two redirect options makes clear, all they do is change WHERE the redirect happens. The key point in all of this is that security constraints are applied AFTER the Mapper and BEFORE the DefaultServlet. If the request is for a protected resource and the redirects take place in the Mapper, then the response will confirm whether that resource exists irrespective of whether or not the user is authorized to access the resource. If the redirect takes place in the Default Servlet, the response will reflect the security constraints and the user's access rights if any. Again, you need to look at the security constraints for the Manager application. /manager is NOT a protected resource so the redirect is always going to happen. Mark > > > regards > Harish Krishnan > > On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan > wrote: > >> Thanks again for the reply, Chris & Violeta! >> Thanks for clarifying what the "protected directory" is, even i guessed it >> to be same. Now i understood the fix for the directories protected by a >> security constraint. I also verified this & the redirect is no more >> happening for these protected ones. Really appreciate your help here. >> >> However, i am still unable to disable the redirect for the root of the >> webapp. This is what i did on the latest tomcat build (7.0.68) - >> >> a) Set the context attribute (mapperContextRootRedirectEnabled) to false >> for manager webapp. Here is my context.xml (from >> \webapps\manager\META-INF\) file - >> >> > antiResourceLocking="false" privileged="true" > >> >> >> b) Accessing http://localhost:8080/manager gets redirected to manger/. >> >> c) I have also set the above context attribute in the default context.xml >> (from \conf\context.xml) file as well. >> >> d) Accessing http://localhost:8080/examples gets redirected to examples/. >> >> Not sure what i am missing here. Same behavior is seen on my web >> application too. >> Please let me know where i am doing wrong & help me on how to disable the >> redirect for the root of webapps. >> >> >> regards >> Harish Krishnan >> >> >> >> >> >> >> >> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> Harish, >>> >>> On 3/8/16 5:47 PM, Harish Krishnan wrote: Thanks Chris for the reply. Looks like my understanding of the fix is incorrect. I assumed (my bad) that, with the fix for this CVE in place (tomcat 7.0.68) + setting the additional context attribute (mapperContextRootRedirectEnabled="false"), all the redirects for that webapp where context attribute was set, will completely be disabled. You mentioned that only "protected directories" inside the deployed web application is covered in this CVE fix. Can you please help me understand what this protected directories are & >>> how to configure this in tomcat ? >>> >>> A "protected directory" is one that has a in >>> web.xml. That's not a spec-defined term... just one we've been using >>> because it captures the meaning with fewer words. >>> >>> As for the redirects you are seeing that "expose" the availability of a >>> particular web application, those are essentially impossible to prevent, >>> and not considered a part of the CVE. >>> >>> -chris >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Hello There, I am kind of blocked here in my project while applying your CVE fix in our product & verify the fix. Any guidelines on what i am doing (mentioned in my previous email) wrong is highly appreciated. All i am trying to do is, disable the redirect for the root (Ex: /manager & /examples in tomcat) of the webapp. If i know how to do this on the mentioned tomcat webapps, then i can apply the same for my webapps too. Looking for your response & help here. regards Harish Krishnan On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan wrote: > Thanks again for the reply, Chris & Violeta! > Thanks for clarifying what the "protected directory" is, even i guessed it > to be same. Now i understood the fix for the directories protected by a > security constraint. I also verified this & the redirect is no more > happening for these protected ones. Really appreciate your help here. > > However, i am still unable to disable the redirect for the root of the > webapp. This is what i did on the latest tomcat build (7.0.68) - > > a) Set the context attribute (mapperContextRootRedirectEnabled) to false > for manager webapp. Here is my context.xml (from > \webapps\manager\META-INF\) file - > > antiResourceLocking="false" privileged="true" > > > > b) Accessing http://localhost:8080/manager gets redirected to manger/. > > c) I have also set the above context attribute in the default context.xml > (from \conf\context.xml) file as well. > > d) Accessing http://localhost:8080/examples gets redirected to examples/. > > Not sure what i am missing here. Same behavior is seen on my web > application too. > Please let me know where i am doing wrong & help me on how to disable the > redirect for the root of webapps. > > > regards > Harish Krishnan > > > > > > > > On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> Harish, >> >> On 3/8/16 5:47 PM, Harish Krishnan wrote: >> > Thanks Chris for the reply. >> > Looks like my understanding of the fix is incorrect. >> > I assumed (my bad) that, with the fix for this CVE in place (tomcat >> > 7.0.68) + setting the additional context attribute >> > (mapperContextRootRedirectEnabled="false"), all the redirects for that >> > webapp where context attribute was set, will completely be disabled. >> > You mentioned that only "protected directories" inside the deployed web >> > application is covered in this CVE fix. >> > Can you please help me understand what this protected directories are & >> how >> > to configure this in tomcat ? >> >> A "protected directory" is one that has a in >> web.xml. That's not a spec-defined term... just one we've been using >> because it captures the meaning with fewer words. >> >> As for the redirects you are seeing that "expose" the availability of a >> particular web application, those are essentially impossible to prevent, >> and not considered a part of the CVE. >> >> -chris >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Any help on my previous question is really appreciated. Thank You! On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan wrote: > Thanks again for the reply, Chris & Violeta! > Thanks for clarifying what the "protected directory" is, even i guessed it > to be same. Now i understood the fix for the directories protected by a > security constraint. I also verified this & the redirect is no more > happening for these protected ones. Really appreciate your help here. > > However, i am still unable to disable the redirect for the root of the > webapp. This is what i did on the latest tomcat build (7.0.68) - > > a) Set the context attribute (mapperContextRootRedirectEnabled) to false > for manager webapp. Here is my context.xml (from > \webapps\manager\META-INF\) file - > > antiResourceLocking="false" privileged="true" > > > > b) Accessing http://localhost:8080/manager gets redirected to manger/. > > c) I have also set the above context attribute in the default context.xml > (from \conf\context.xml) file as well. > > d) Accessing http://localhost:8080/examples gets redirected to examples/. > > Not sure what i am missing here. Same behavior is seen on my web > application too. > Please let me know where i am doing wrong & help me on how to disable the > redirect for the root of webapps. > > > regards > Harish Krishnan > > > > > > > > On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> Harish, >> >> On 3/8/16 5:47 PM, Harish Krishnan wrote: >> > Thanks Chris for the reply. >> > Looks like my understanding of the fix is incorrect. >> > I assumed (my bad) that, with the fix for this CVE in place (tomcat >> > 7.0.68) + setting the additional context attribute >> > (mapperContextRootRedirectEnabled="false"), all the redirects for that >> > webapp where context attribute was set, will completely be disabled. >> > You mentioned that only "protected directories" inside the deployed web >> > application is covered in this CVE fix. >> > Can you please help me understand what this protected directories are & >> how >> > to configure this in tomcat ? >> >> A "protected directory" is one that has a in >> web.xml. That's not a spec-defined term... just one we've been using >> because it captures the meaning with fewer words. >> >> As for the redirects you are seeing that "expose" the availability of a >> particular web application, those are essentially impossible to prevent, >> and not considered a part of the CVE. >> >> -chris >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Thanks again for the reply, Chris & Violeta! Thanks for clarifying what the "protected directory" is, even i guessed it to be same. Now i understood the fix for the directories protected by a security constraint. I also verified this & the redirect is no more happening for these protected ones. Really appreciate your help here. However, i am still unable to disable the redirect for the root of the webapp. This is what i did on the latest tomcat build (7.0.68) - a) Set the context attribute (mapperContextRootRedirectEnabled) to false for manager webapp. Here is my context.xml (from \webapps\manager\META-INF\) file - b) Accessing http://localhost:8080/manager gets redirected to manger/. c) I have also set the above context attribute in the default context.xml (from \conf\context.xml) file as well. d) Accessing http://localhost:8080/examples gets redirected to examples/. Not sure what i am missing here. Same behavior is seen on my web application too. Please let me know where i am doing wrong & help me on how to disable the redirect for the root of webapps. regards Harish Krishnan On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Harish, > > On 3/8/16 5:47 PM, Harish Krishnan wrote: > > Thanks Chris for the reply. > > Looks like my understanding of the fix is incorrect. > > I assumed (my bad) that, with the fix for this CVE in place (tomcat > > 7.0.68) + setting the additional context attribute > > (mapperContextRootRedirectEnabled="false"), all the redirects for that > > webapp where context attribute was set, will completely be disabled. > > You mentioned that only "protected directories" inside the deployed web > > application is covered in this CVE fix. > > Can you please help me understand what this protected directories are & > how > > to configure this in tomcat ? > > A "protected directory" is one that has a in > web.xml. That's not a spec-defined term... just one we've been using > because it captures the meaning with fewer words. > > As for the redirects you are seeing that "expose" the availability of a > particular web application, those are essentially impossible to prevent, > and not considered a part of the CVE. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Harish, On 3/8/16 5:47 PM, Harish Krishnan wrote: > Thanks Chris for the reply. > Looks like my understanding of the fix is incorrect. > I assumed (my bad) that, with the fix for this CVE in place (tomcat > 7.0.68) + setting the additional context attribute > (mapperContextRootRedirectEnabled="false"), all the redirects for that > webapp where context attribute was set, will completely be disabled. > You mentioned that only "protected directories" inside the deployed web > application is covered in this CVE fix. > Can you please help me understand what this protected directories are & how > to configure this in tomcat ? A "protected directory" is one that has a in web.xml. That's not a spec-defined term... just one we've been using because it captures the meaning with fewer words. As for the redirects you are seeing that "expose" the availability of a particular web application, those are essentially impossible to prevent, and not considered a part of the CVE. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Hi Harish, 2016-03-09 0:47 GMT+02:00 Harish Krishnan : > > Thanks Chris for the reply. > Looks like my understanding of the fix is incorrect. > I assumed (my bad) that, with the fix for this CVE in place (tomcat > 7.0.68) + setting the additional context attribute > (mapperContextRootRedirectEnabled="false"), all the redirects for that > webapp where context attribute was set, will completely be disabled. > You mentioned that only "protected directories" inside the deployed web > application is covered in this CVE fix. > Can you please help me understand what this protected directories are & how > to configure this in tomcat ? As Mark already pointed, look at the web.xml of Manager application -> security constraints sections. Also you may find the following link [1] useful. Regards, Violeta [1] https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html > > regards > Harish Krishnan > > On Tue, Mar 8, 2016 at 7:59 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Harish, > > > > On 3/7/16 6:02 PM, Harish Krishnan wrote: > > > Unfortunately, i still could not verify this vulnerability as it > > > still appears not fixed & my requests get redirected. > > > > What makes you think that the requests should not be redirected? > > > > > Instead of using the manager webapp that comes default in tomcat, > > > we created a sample webapp with the following security constraint > > > - > > > hello.html > > > > > > sercure-hello > > > /* > > > > > > NONE > > > > > > > > > Accessing http://localhost:8080/a (which exist) gets redirected to > > > http://localhost:8080/a/ & then get 404. Accessing > > > http://localhost:8080/b (does not exist) simply gets 404. > > > > Where did you deploy this sample web application? > > > > > I have set the context attribute (mapperContextRootRedirectEnabled) > > > as well - > > antiResourceLocking="false" privileged="true"> > > > > > > My question simply boils down to, What additional setting i need to > > > do for the above redirect to NOT happen. > > > > Which redirect? A redirect for a protected directory inside of a > > deployed web application (which is what this CVE covers) or the > > redirect for a deployed web application (which is not what this CVE > > covers)? > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J > > uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe > > =/uiq > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Thanks Chris for the reply. Looks like my understanding of the fix is incorrect. I assumed (my bad) that, with the fix for this CVE in place (tomcat 7.0.68) + setting the additional context attribute (mapperContextRootRedirectEnabled="false"), all the redirects for that webapp where context attribute was set, will completely be disabled. You mentioned that only "protected directories" inside the deployed web application is covered in this CVE fix. Can you please help me understand what this protected directories are & how to configure this in tomcat ? regards Harish Krishnan On Tue, Mar 8, 2016 at 7:59 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Harish, > > On 3/7/16 6:02 PM, Harish Krishnan wrote: > > Unfortunately, i still could not verify this vulnerability as it > > still appears not fixed & my requests get redirected. > > What makes you think that the requests should not be redirected? > > > Instead of using the manager webapp that comes default in tomcat, > > we created a sample webapp with the following security constraint > > - > > hello.html > > > > sercure-hello > > /* > > > > NONE > > > > > > Accessing http://localhost:8080/a (which exist) gets redirected to > > http://localhost:8080/a/ & then get 404. Accessing > > http://localhost:8080/b (does not exist) simply gets 404. > > Where did you deploy this sample web application? > > > I have set the context attribute (mapperContextRootRedirectEnabled) > > as well - > antiResourceLocking="false" privileged="true"> > > > > My question simply boils down to, What additional setting i need to > > do for the above redirect to NOT happen. > > Which redirect? A redirect for a protected directory inside of a > deployed web application (which is what this CVE covers) or the > redirect for a deployed web application (which is not what this CVE > covers)? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J > uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe > =/uiq > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harish, On 3/7/16 6:02 PM, Harish Krishnan wrote: > Unfortunately, i still could not verify this vulnerability as it > still appears not fixed & my requests get redirected. What makes you think that the requests should not be redirected? > Instead of using the manager webapp that comes default in tomcat, > we created a sample webapp with the following security constraint > - > hello.html > > sercure-hello > /* > > NONE > > > Accessing http://localhost:8080/a (which exist) gets redirected to > http://localhost:8080/a/ & then get 404. Accessing > http://localhost:8080/b (does not exist) simply gets 404. Where did you deploy this sample web application? > I have set the context attribute (mapperContextRootRedirectEnabled) > as well - antiResourceLocking="false" privileged="true"> > > My question simply boils down to, What additional setting i need to > do for the above redirect to NOT happen. Which redirect? A redirect for a protected directory inside of a deployed web application (which is what this CVE covers) or the redirect for a deployed web application (which is not what this CVE covers)? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlbe9twACgkQ9CaO5/Lv0PBaqQCeMMYqM8+hPnekw1NM8I5NNa0J uaQAn2Kp35FIKikIFfZdlao4Un1NCNGe =/uiq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Thanks for the reply, Mark. Unfortunately, i still could not verify this vulnerability as it still appears not fixed & my requests get redirected. Instead of using the manager webapp that comes default in tomcat, we created a sample webapp with the following security constraint - hello.html sercure-hello /* NONE Accessing http://localhost:8080/a (which exist) gets redirected to http://localhost:8080/a/ & then get 404. Accessing http://localhost:8080/b (does not exist) simply gets 404. I have set the context attribute (mapperContextRootRedirectEnabled) as well - My question simply boils down to, What additional setting i need to do for the above redirect to NOT happen. Thanks for your help. regards Harish Krishnan On Mon, Mar 7, 2016 at 12:42 PM, Mark Thomas wrote: > On 07/03/2016 20:23, Harish Krishnan wrote: > > Hi There, > > > > I am verifying the fix that you made for CVE-2015-5345 & it appears to > be > > not fixed. I might be doing something wrong & hence sending out this > email > > to you. > > All i did was, > > a) Downloaded & installed the latest tomcat build 7.0.68. > > b) Added the following context attribute to manager webapp just for > testing > > - > > File: $CATALINA_HOME\webapps\manager\META-INF\context.xml > >> antiResourceLocking="false" privileged="true"> > > c) When i access http://localhost/8080/manager/images, it still gets > > redirected to /images/ there by confirming the folder location. Same > thing > > happens when accessing /manager/index.jsp too. > > > > Am i missing anything here ? > > Yes. Look at the security constraints defined for the Manager application. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
On 07/03/2016 20:23, Harish Krishnan wrote: > Hi There, > > I am verifying the fix that you made for CVE-2015-5345 & it appears to be > not fixed. I might be doing something wrong & hence sending out this email > to you. > All i did was, > a) Downloaded & installed the latest tomcat build 7.0.68. > b) Added the following context attribute to manager webapp just for testing > - > File: $CATALINA_HOME\webapps\manager\META-INF\context.xml >antiResourceLocking="false" privileged="true"> > c) When i access http://localhost/8080/manager/images, it still gets > redirected to /images/ there by confirming the folder location. Same thing > happens when accessing /manager/index.jsp too. > > Am i missing anything here ? Yes. Look at the security constraints defined for the Manager application. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Question about your recent security (CVE-2015-5345) fix in 7.0.68 build
Hi There, I am verifying the fix that you made for CVE-2015-5345 & it appears to be not fixed. I might be doing something wrong & hence sending out this email to you. All i did was, a) Downloaded & installed the latest tomcat build 7.0.68. b) Added the following context attribute to manager webapp just for testing - File: $CATALINA_HOME\webapps\manager\META-INF\context.xml c) When i access http://localhost/8080/manager/images, it still gets redirected to /images/ there by confirming the folder location. Same thing happens when accessing /manager/index.jsp too. Am i missing anything here ? Please help me understand the exact fix for this issue. regards Harish Krishnan