If you top-post (which is strongly discouraged on this list), it makes it very difficult
to answer your questions and still leave the whole thing understandable for other people
who may try to follow this thread.
Aditi Sinha wrote:
Hi Mark, Chuck,
Thanks for the explanation.
On checking found that, below system properties are set to true by our
application for a requirement.
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:
true
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true
Is there any other workaround/solution which can help us make our
application secure w.r.t this vulnerability?
As Mark tried to point out,
in a standard default Tomcat configuration, this issue would not exist, because
a) a URL with a "\" in it is an invalid URL, and it would be rejected by a Tomcat
configured normally. It is only because you explicitly tell Tomcat to act in a
non-standard way, that the issue occurs with this URL.
So the issue is of your own doing. If your application has such a requirement, then it is
your application that needs to be corrected, not Tomcat.
To use an analogy : if you knowingly disable the brakes of your car, and then sue the
manufacturer because you had a road accident because your car didn't stop anymore, chances
are that you will lose the lawsuit. (*)
b) without the backslash in it, "http://localhost:8080/scripts/../manager/html"; is a
perfectly valid URL, which evaluates to "http://localhost:8080/manager/html";, which is a
valid URL and does *not* involve "directory traversal" of any kind. So it is the program
that "detects" this so-called vulnerability which is wrong, and obviously there is nothing
that the Tomcat folks can do about this.
c) in a normal Tomcat setup, the Manager application is protected by an authentication
and access-control mechanism. So a request to "http://localhost:8080/manager/html"; would
lead to a login page or other form of authentication, and would not provide unauthorised
access to the Manager app. So there is no security weakness issue involved either.
In other words : the logical course of action here would be to tell whoever is running
this program, that the warning issued by the program is bogus, and tell them that it
should be ignored. And if they are smart, they will respond that Tomcat should have
rejected this invalid URL because it has a backslash in it. And then you will have to
explain to them that your application requires Tomcat to accept these invalid URLs.
Now if you want a sneaky way to make this particular message go away, and under your own
reponsibility, you could always uninstall (or rename) the Manager application. But don't
tell anyone that I said this (and don't even think for a second that it makes the
fundamental issue go away.)
(*) Although a US tort lawyer might argue in this case that by providing these special
Java options to disable the brakes, the Tomcat developers are complicit with the users who
use them, and thus liable for a million-dollar emotional distress compensation payment.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
