On 22 Nov 2012, at 07:34, Aditi Sinha adisinha0...@gmail.com wrote:
Hi Mark, Chuck,
Thanks for the explanation.
On checking found that, below system properties are set to true by our
application for a requirement.
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:
If you top-post (which is strongly discouraged on this list), it makes it very difficult
to answer your questions and still leave the whole thing understandable for other people
who may try to follow this thread.
Aditi Sinha wrote:
Hi Mark, Chuck,
Thanks for the explanation.
On checking
Hi Andre,
Agree with your points.
Just wanted to know more about “Directory Traversal Attack.
Can it lead to access of directories outside Tomcat/webapps folder also
or can it just try to access the applications within Tomcat/webapps
folder only?
Thanks Regards,
Aditi
On 22/11/12 10:52, Aditi Sinha wrote:
Hi Andre,
Agree with your points.
Just wanted to know more about “Directory Traversal Attack.
Can it lead to access of directories outside Tomcat/webapps folder also
or can it just try to access the applications within Tomcat/webapps
folder only?
Athanasios Kostopoulos wrote:
On 22/11/12 10:52, Aditi Sinha wrote:
Hi Andre,
Agree with your points.
Just wanted to know more about “Directory Traversal Attack.
Can it lead to access of directories outside Tomcat/webapps folder also
or can it just try to access the applications within
Thanks Guys.
As per my reading of the suggested material and looking at the logs that
Andre has shared, I think there are two ways in which the directory
traversal attack could be made.
1. By having ..\ equivalents in the URL itself
2. By having ..\ equivalents in the request parameters.
In my
On 11/22/2012 8:35 AM, Aditi Sinha wrote:
Thanks Guys.
As per my reading of the suggested material and looking at the logs that
Andre has shared, I think there are two ways in which the directory
traversal attack could be made.
1. By having ..\ equivalents in the URL itself
2. By having ..\
On 22/11/2012 15:11, David Kerber wrote:
On 11/22/2012 8:35 AM, Aditi Sinha wrote:
Thanks Guys.
As per my reading of the suggested material and looking at the logs that
Andre has shared, I think there are two ways in which the directory
traversal attack could be made.
1. By having ..\
Aditi Sinha wrote:
Thanks Guys.
As per my reading of the suggested material and looking at the logs that
Andre has shared, I think there are two ways in which the directory
traversal attack could be made.
1. By having ..\ equivalents in the URL itself
2. By having ..\ equivalents in the
On 22/11/2012 09:52, Aditi Sinha wrote:
Hi Andre,
Agree with your points.
Just wanted to know more about “Directory Traversal Attack.
Can it lead to access of directories outside Tomcat/webapps folder also
For the last time, this is in all probability a false positive due to a
crappy
*Whether someone can get access to any file/directory outside the tomcat
webapps folder using Style 1 (using ..\ equivalent in the URL itself)
Directory traversal attack (scoped to Tomcat) on Windows.*
Have you tried this?
How does Tomcat respond?
I tried to access some files outside the
For example, if inside of your webapps directory, you had symbolic links
leading elsewhere (but I don't think that under Windows this works).
*Inside webapps directory, we do not have any symbolic links.*
In your normal setup, is there any front-end system in front of Tomcat, or
do clients
Test it yourself. Are you able to access a directory or file below the
level of the webapps directory, simply by using a specially crafted request?
*With our testing could not access any files/directory outside webapps
folder.*
Thanks Regards,
Aditi
From: Aditi Sinha [mailto:adisinha0...@gmail.com]
Subject: Need help to understand CVE-2007-0450
We have a web server hosted on Tomcat 7.0.22.
The tool was able to access the Tomcat manager application with the
following URL :
http://localhost:8080/scripts/\../manager/html
As per Tomcat
On 21/11/2012 13:40, Aditi Sinha wrote:
Hi,
We have a web server hosted on Tomcat 7.0.22.
There are two connectors defined server.xml listening at port 8080 and 8443.
During vulnerability scan a 3rd party tool reported CVE-2007-0450 “Apache
Tomcat Directory Traversal Attack” on both
Caldarale, Charles R wrote:
From: Aditi Sinha [mailto:adisinha0...@gmail.com]
Subject: Need help to understand CVE-2007-0450
We have a web server hosted on Tomcat 7.0.22.
The tool was able to access the Tomcat manager application with the
following URL :
On 21 Nov 2012, at 14:59, André Warnier a...@ice-sa.com wrote:
Caldarale, Charles R wrote:
From: Aditi Sinha [mailto:adisinha0...@gmail.com] Subject: Need help to
understand CVE-2007-0450
We have a web server hosted on Tomcat 7.0.22.
The tool was able to access the Tomcat manager
Hi Mark, Chuck,
Thanks for the explanation.
On checking found that, below system properties are set to true by our
application for a requirement.
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:
true
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true
18 matches
Mail list logo
