Message from a security scan

["James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>]

We got this from a customer who did a security scan:

> A Tomcat Manager login panel was discovered via path normalization.
> Normalizing a path involves modifying the string that identifies a
> path or file so that it conforms to a valid path on the target
> operating system.
> 
> QID Detection Logic: This QID sends a HTTP GET request with /..;/
> payload and based on the response confirms if the target is
> vulnerable.
> 
> Remediation notes
> 
> Customers are advised to configure the reverse proxy to reject paths
> that contain the Tomcat path parameter character ;

This sounds to me like something external to Tomcat, and external to the 
box Tomcat is running on. Would that be correct?

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Message from a security scan

[Christopher Schultz <ch...@christopherschultz.net>]

James,

On 2/2/23 12:38, James H. H. Lampert wrote:
> That I was "shot down in flames" when I tried to get in from my 
> Chromebook, through the hotspot on my cell phone, makes it unlikely that 
> Tomcat is seeing a proxy IP, especially given that (as I understand it) 
> I would have had to authorize the proxy IP to get in from my office IP, 
> and I have no idea what their proxy IP even is.
> 
> What really puzzles me about the whole thing is that the pen-tester 
> claimed to have gotten a sign-on pane. As I said, this was my first 
> test-case of setting up a working remote address valve, and while I just 
> found and removed two unaccounted-for (probably obsolete) authorized 
> addresses, the odds against the pen-tester trying to get in from one of 
> those addresses were about two billion to one.

Screenshot with current time or it didn't happen.

You could also look at your access logs on both the reverse proxy and 
the Tomcat node.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Message from a security scan

["James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>]

That I was "shot down in flames" when I tried to get in from my 
Chromebook, through the hotspot on my cell phone, makes it unlikely that 
Tomcat is seeing a proxy IP, especially given that (as I understand it) 
I would have had to authorize the proxy IP to get in from my office IP, 
and I have no idea what their proxy IP even is.

What really puzzles me about the whole thing is that the pen-tester 
claimed to have gotten a sign-on pane. As I said, this was my first 
test-case of setting up a working remote address valve, and while I just 
found and removed two unaccounted-for (probably obsolete) authorized 
addresses, the odds against the pen-tester trying to get in from one of 
those addresses were about two billion to one.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Message from a security scan

[Mark Thomas <ma...@apache.org>]

On 01/02/2023 21:51, James H. H. Lampert wrote:
> On 2/1/23 12:06 PM, Mark Thomas wrote:
>> The pen tester requested "/app/..;/manager"
>>
>> The proxy passed that as is to Tomcat since it starts with "/app"
> 
> Thanks.
> 
> As it happens, this particular customer was the first one in which I 
> tried putting the only IP addresses with any business accessing manager 
> into its remote address valve, instead of just commenting out the valve.
> 
> I tried that syntax in a browser, from an IP address that's allowed to 
> access manager, and it got in.
> 
> I then tried it in a browser on my Chromebook, going through my cell 
> phone's hotspot (which would definitely NOT have a permitted address), 
> and it didn't even get to the sign-on panel before kicking me out with 
> an error message.

ACK.

Providing the proxy and Tomcat are configured such that Tomcat sees the 
real client IP rather than the proxy IP that should be fine.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Message from a security scan

["James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>]

On 2/1/23 12:06 PM, Mark Thomas wrote:
> The pen tester requested "/app/..;/manager"
> 
> The proxy passed that as is to Tomcat since it starts with "/app"

Thanks.

As it happens, this particular customer was the first one in which I 
tried putting the only IP addresses with any business accessing manager 
into its remote address valve, instead of just commenting out the valve.

I tried that syntax in a browser, from an IP address that's allowed to 
access manager, and it got in.

I then tried it in a browser on my Chromebook, going through my cell 
phone's hotspot (which would definitely NOT have a permitted address), 
and it didn't even get to the sign-on panel before kicking me out with 
an error message.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Message from a security scan

[Mark Thomas <ma...@apache.org>]

On 01/02/2023 18:48, James H. H. Lampert wrote:
> We got this from a customer who did a security scan:
> 
>> A Tomcat Manager login panel was discovered via path normalization.
>> Normalizing a path involves modifying the string that identifies a
>> path or file so that it conforms to a valid path on the target
>> operating system.
>>
>> QID Detection Logic: This QID sends a HTTP GET request with /..;/
>> payload and based on the response confirms if the target is
>> vulnerable.
>>
>> Remediation notes
>>
>> Customers are advised to configure the reverse proxy to reject paths
>> that contain the Tomcat path parameter character ;
> 
> This sounds to me like something external to Tomcat, and external to the 
> box Tomcat is running on. Would that be correct?

Yes. The customer has a reverse proxy (such as httpd, nginx etc). The 
issue will be something like:

Tomcat has contexts "/app", "/manager" and possibly others deployed.

proxy is configured to proxy "/app" to Tomcat

The pen tester requested "/app/..;/manager"

The proxy passed that as is to Tomcat since it starts with "/app"

Tomcat normalized that using Servlet normalization rules (with are not 
the same as HTTP normalization rules) and got "/manager" so the request 
was mapped to the manager app.

Possible mitigations:

1. Remove the manager app from the Tomcat instance

2. Configure the proxy to reject "suspicious" URIs like the one in this 
case. There is a useful list of suspicious URIs in the Servlet 6.0 spec.

Newer versions of httpd have a config setting to normalize proxied URIUs 
using the Servlet rules - that also avoids this issue.

3. Upgrade to Tomcat 10 where such suspicious URIs are rejected by default.

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org