On 2/1/23 12:06 PM, Mark Thomas wrote:
The pen tester requested "/app/..;/manager"

The proxy passed that as is to Tomcat since it starts with "/app"


As it happens, this particular customer was the first one in which I tried putting the only IP addresses with any business accessing manager into its remote address valve, instead of just commenting out the valve.

I tried that syntax in a browser, from an IP address that's allowed to access manager, and it got in.

I then tried it in a browser on my Chromebook, going through my cell phone's hotspot (which would definitely NOT have a permitted address), and it didn't even get to the sign-on panel before kicking me out with an error message.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to