You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID> on 2023/02/01 18:48:45 UTC
Message from a security scan
We got this from a customer who did a security scan:
> A Tomcat Manager login panel was discovered via path normalization.
> Normalizing a path involves modifying the string that identifies a
> path or file so that it conforms to a valid path on the target
> operating system.
>
> QID Detection Logic: This QID sends a HTTP GET request with /..;/
> payload and based on the response confirms if the target is
> vulnerable.
>
> Remediation notes
>
> Customers are advised to configure the reverse proxy to reject paths
> that contain the Tomcat path parameter character ;
This sounds to me like something external to Tomcat, and external to the
box Tomcat is running on. Would that be correct?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Message from a security scan
Posted by Christopher Schultz <ch...@christopherschultz.net>.
James,
On 2/2/23 12:38, James H. H. Lampert wrote:
> That I was "shot down in flames" when I tried to get in from my
> Chromebook, through the hotspot on my cell phone, makes it unlikely that
> Tomcat is seeing a proxy IP, especially given that (as I understand it)
> I would have had to authorize the proxy IP to get in from my office IP,
> and I have no idea what their proxy IP even is.
>
> What really puzzles me about the whole thing is that the pen-tester
> claimed to have gotten a sign-on pane. As I said, this was my first
> test-case of setting up a working remote address valve, and while I just
> found and removed two unaccounted-for (probably obsolete) authorized
> addresses, the odds against the pen-tester trying to get in from one of
> those addresses were about two billion to one.
Screenshot with current time or it didn't happen.
You could also look at your access logs on both the reverse proxy and
the Tomcat node.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Message from a security scan
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>.
That I was "shot down in flames" when I tried to get in from my
Chromebook, through the hotspot on my cell phone, makes it unlikely that
Tomcat is seeing a proxy IP, especially given that (as I understand it)
I would have had to authorize the proxy IP to get in from my office IP,
and I have no idea what their proxy IP even is.
What really puzzles me about the whole thing is that the pen-tester
claimed to have gotten a sign-on pane. As I said, this was my first
test-case of setting up a working remote address valve, and while I just
found and removed two unaccounted-for (probably obsolete) authorized
addresses, the odds against the pen-tester trying to get in from one of
those addresses were about two billion to one.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Message from a security scan
Posted by Mark Thomas <ma...@apache.org>.
On 01/02/2023 21:51, James H. H. Lampert wrote:
> On 2/1/23 12:06 PM, Mark Thomas wrote:
>> The pen tester requested "/app/..;/manager"
>>
>> The proxy passed that as is to Tomcat since it starts with "/app"
>
> Thanks.
>
> As it happens, this particular customer was the first one in which I
> tried putting the only IP addresses with any business accessing manager
> into its remote address valve, instead of just commenting out the valve.
>
> I tried that syntax in a browser, from an IP address that's allowed to
> access manager, and it got in.
>
> I then tried it in a browser on my Chromebook, going through my cell
> phone's hotspot (which would definitely NOT have a permitted address),
> and it didn't even get to the sign-on panel before kicking me out with
> an error message.
ACK.
Providing the proxy and Tomcat are configured such that Tomcat sees the
real client IP rather than the proxy IP that should be fine.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Message from a security scan
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>.
On 2/1/23 12:06 PM, Mark Thomas wrote:
> The pen tester requested "/app/..;/manager"
>
> The proxy passed that as is to Tomcat since it starts with "/app"
Thanks.
As it happens, this particular customer was the first one in which I
tried putting the only IP addresses with any business accessing manager
into its remote address valve, instead of just commenting out the valve.
I tried that syntax in a browser, from an IP address that's allowed to
access manager, and it got in.
I then tried it in a browser on my Chromebook, going through my cell
phone's hotspot (which would definitely NOT have a permitted address),
and it didn't even get to the sign-on panel before kicking me out with
an error message.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Message from a security scan
Posted by Mark Thomas <ma...@apache.org>.
On 01/02/2023 18:48, James H. H. Lampert wrote:
> We got this from a customer who did a security scan:
>
>> A Tomcat Manager login panel was discovered via path normalization.
>> Normalizing a path involves modifying the string that identifies a
>> path or file so that it conforms to a valid path on the target
>> operating system.
>>
>> QID Detection Logic: This QID sends a HTTP GET request with /..;/
>> payload and based on the response confirms if the target is
>> vulnerable.
>>
>> Remediation notes
>>
>> Customers are advised to configure the reverse proxy to reject paths
>> that contain the Tomcat path parameter character ;
>
> This sounds to me like something external to Tomcat, and external to the
> box Tomcat is running on. Would that be correct?
Yes. The customer has a reverse proxy (such as httpd, nginx etc). The
issue will be something like:
Tomcat has contexts "/app", "/manager" and possibly others deployed.
proxy is configured to proxy "/app" to Tomcat
The pen tester requested "/app/..;/manager"
The proxy passed that as is to Tomcat since it starts with "/app"
Tomcat normalized that using Servlet normalization rules (with are not
the same as HTTP normalization rules) and got "/manager" so the request
was mapped to the manager app.
Possible mitigations:
1. Remove the manager app from the Tomcat instance
2. Configure the proxy to reject "suspicious" URIs like the one in this
case. There is a useful list of suspicious URIs in the Servlet 6.0 spec.
Newer versions of httpd have a config setting to normalize proxied URIUs
using the Servlet rules - that also avoids this issue.
3. Upgrade to Tomcat 10 where such suspicious URIs are rejected by default.
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org