You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/01/31 03:34:12 UTC
[Bug 60667] New: Information disclosure vulnerability leaking files
from WEB-INF and META-INF
https://bz.apache.org/bugzilla/show_bug.cgi?id=60667
Bug ID: 60667
Summary: Information disclosure vulnerability leaking files
from WEB-INF and META-INF
Product: Tomcat 7
Version: 7.0.61
Hardware: All
Status: NEW
Severity: minor
Priority: P2
Component: Servlet & JSP API
Assignee: dev@tomcat.apache.org
Reporter: adarshdinesh@gmail.com
Target Milestone: ---
Request : https://<server>:<port>/META-INf./template.mf
Response : Content of template.mf
Here the tomcat URL filter for restricting access to META-INF and WEB-INF can
be evaded using a "." in the end of the directory-name and one keeping at least
one character lowercase.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60667] Information disclosure vulnerability leaking files from
WEB-INF and META-INF
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60667
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
(In reply to Josh Soref from comment #2)
> mark: did you test on Windows?
Yes, the tests included Windows.
> the `.` behavior is a Windows thing.
Not with Tomcat it isn't. The '.' is enough to always trigger a 404 unless
there actually is a directory with that name. I also tested without the '.'.
> Case folding could also happen on macOS.
Tomcat has code that explicitly prevents this on any case insensitive file
system. It can be disabled if allowLinking is set to true but that is why there
is a huge security warning in the docs about enabling that on case insensitive
file systems.
> (I'm not endorsing the bug, just guessing about how this could be. And I
> don't have a tomcat instance handy to test.)
As I previously stated, the behaviour described looks like a poorly configured
reverse proxy.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60667] Information disclosure vulnerability leaking files from
WEB-INF and META-INF
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60667
--- Comment #2 from Josh Soref <ap...@soref.com> ---
mark: did you test on Windows? the `.` behavior is a Windows thing. Case
folding could also happen on macOS.
(I'm not endorsing the bug, just guessing about how this could be. And I don't
have a tomcat instance handy to test.)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60667] Information disclosure vulnerability leaking files from
WEB-INF and META-INF
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60667
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
OS| |All
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Tomcat correctly returns a 404 for such requests.
I suspect the root cause here is a poorly configured reverse proxy.
Also, vulnerability reports should NOT be made via a public bug tracker. The
correct process is described at http://tomcat.apache.org/security.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org