On 2/1/23 12:06 PM, Mark Thomas wrote:
The pen tester requested "/app/..;/manager"
The proxy passed that as is to Tomcat since it starts with "/app"
Thanks.
As it happens, this particular customer was the first one in which I
tried putting the only IP addresses with any business accessing manager
into its remote address valve, instead of just commenting out the valve.
I tried that syntax in a browser, from an IP address that's allowed to
access manager, and it got in.
I then tried it in a browser on my Chromebook, going through my cell
phone's hotspot (which would definitely NOT have a permitted address),
and it didn't even get to the sign-on panel before kicking me out with
an error message.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org