You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Ragavendhiran Bhiman (rabhiman)" <ra...@cisco.com.INVALID> on 2022/12/14 13:00:46 UTC
Hostheader attack vulnerability
Hi All,
I am facing one issue related to host header manipulation changing the host header is chaning the url itself. This attack is done via the burp suite tool. I have copied the current configuration here as you could see the default hostname is defined and apBase is provided.
The attack is happening only before the admin login page. Any pages displayed after the login the host header manipulation is not happening. Kindly advise me how to fix this problem from apache side.
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>-->
<Realm className="com.cisco.cpm.infra.realm.AdminRealm"/>
<Valve className="org.apache.catalina.valves.MethodsValve" methodsSupported="GET,POST,PUT,DELETE,HEAD" />
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!-- CSCtn68389 enable the SSO Vlave in order to avoid repetetavie REST authentications throgh AdminRealm. By enabling the Valve,
The Authenticate Methos in the Realm is being Invoked only once and after that, tomcat sends a jsessionidsso cookie to the client.
The Client sends the jsessionidsso back in each request so tomcat can map the request to a live session without the need to authenticate. -->
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
<Valve className="com.cisco.ise.tomcat.valves.GuestVlanUrlRedirectValve" />
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html -->
<!-- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
Thanks & Regards,
Raghav
Re: Hostheader attack vulnerability
Posted by Mark Thomas <ma...@apache.org>.
There isn't anything here that indicates there there is a problem for
Tomcat to solve.
You appear to be using a tool provided by Cisco. I suggest you contact
Cisco for support.
If you still believe that there is a Tomcat issue here please provide:
- Full details (including HTTP headers) of a request that triggers the
issue
- Full details of how the response differs from what you expect
Generally, I'll note that in the default configuration, Tomcat will
route all requests to the default host irrespective of the value
presented in the Host header.
Mark
On 14/12/2022 13:00, Ragavendhiran Bhiman (rabhiman) wrote:
> Hi All,
>
> I am facing one issue related to host header manipulation changing the host header is chaning the url itself. This attack is done via the burp suite tool. I have copied the current configuration here as you could see the default hostname is defined and apBase is provided.
>
> The attack is happening only before the admin login page. Any pages displayed after the login the host header manipulation is not happening. Kindly advise me how to fix this problem from apache side.
>
> <Engine name="Catalina" defaultHost="localhost">
>
> <!--For clustering, please take a look at documentation at:
> /docs/cluster-howto.html (simple how to)
> /docs/config/cluster.html (reference documentation) -->
> <!--
> <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
> -->
> <!-- This Realm uses the UserDatabase configured in the global JNDI
> resources under the key "UserDatabase". Any edits
> that are performed against this UserDatabase are immediately
> available for use by the Realm. -->
> <!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>-->
> <Realm className="com.cisco.cpm.infra.realm.AdminRealm"/>
>
> <Valve className="org.apache.catalina.valves.MethodsValve" methodsSupported="GET,POST,PUT,DELETE,HEAD" />
>
>
>
> <!-- Define the default virtual host
> Note: XML Schema validation will not work with Xerces 2.2.
> -->
>
> <Host name="localhost" appBase="webapps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
>
> <!-- SingleSignOn valve, share authentication between web applications
> Documentation at: /docs/config/valve.html -->
> <!-- CSCtn68389 enable the SSO Vlave in order to avoid repetetavie REST authentications throgh AdminRealm. By enabling the Valve,
> The Authenticate Methos in the Realm is being Invoked only once and after that, tomcat sends a jsessionidsso cookie to the client.
> The Client sends the jsessionidsso back in each request so tomcat can map the request to a live session without the need to authenticate. -->
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
>
> <Valve className="com.cisco.ise.tomcat.valves.GuestVlanUrlRedirectValve" />
>
> <!-- Access log processes all example.
> Documentation at: /docs/config/valve.html -->
> <!-- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
>
> Thanks & Regards,
>
> Raghav
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org