You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sebastian Kruk <se...@deri.org> on 2007/06/24 16:06:28 UTC
URI handling bug in Tomcat 6.0.13?
Hello,
just a quick question. Why URI like the following:
http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%3A%2F
%2Fdmoz.org%2FTop
result in error 400 - incorrect URI - noSlash error in Tomcat 6.0.13,
but were correctly handled in Tomcat 5.5 ?
After investigating a little I have noticed that the problem is in %
2F sequence (URI encoding of /).
Is there any HTTP specification detail that I have missed or is it,
as I think it is, a bug in Tomcat 6?
Thanks for any hints,
Cheers,
Sebastian
--------------------------------------------
-- Sebastian Ryszard Kruk
-- Lead Researcher, Project Manager
-- Semantic Infrastructure Lab, eLearning Cluster
-- Digital Enterprise Research Institute
-- National University of Ireland, Galway
-- mailto: sebastian.kruk@deri.org
-- GG: 335067, Jabber: s_kruk@chrome.pl
-- Skype: sebastiankruk
-- WWW: http://www.sebastiankruk.com/
-- mobile (IRL): +353 85 7126591
-- VoIP (PL): +48 52 5110114
--------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: URI handling bug in Tomcat 6.0.13?
Posted by Sebastian Kruk <se...@deri.org>.
Damn,
should not read/write emails on Sunday - thanks a million,
Cheers,
S.
On 24 Jun 2007, at 17:52, Rainer Jung wrote:
> You didn't really read the part of the page I referred to and
> instead decided to read the CVE. The page I sent you will tell you
> about System properties that make the behaviour configurable.
>
> Sebastian Kruk wrote:
>> Thanks,
>> so if I got it right - due to some security reasons:
>> "Directory traversal vulnerability in Apache HTTP Server and
>> Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain
>> proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote
>> attackers to read arbitrary files via a .. (dot dot) sequence with
>> combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-
>> encoded backslash (%5C) characters in the URL, which are valid
>> separators in Tomcat but not in Apache."
>> ... I cannot use sequence of .. (dot dot), /, \ and %5C
>> Yes, but, it is strange since I do have neither (dot dot) nor %5C
>> nor \ [we cannot ban / completely, right?],
>> Tomcat seems to be reacting strange on %2F, which have to be
>> URLEncoded, since this is a URI I am passing to an internal
>> procedure,
>> if this URI is not URL encoded - than my regexp defined REST
>> services endpoints will freak out and consider only all they will
>> see till / as a parameter.
>> As I said before - it seems that Tomcat is sensitive to a %2F in
>> my URI, which is not on the list above.
>> http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%3A
>> %2F%2Fdmoz.org%2FTop Can you, please, explain what is wrong with
>> this URI? I got a feeling that although the CVE-2007-0450 might be
>> important, it has been implemented in wrong way?
>> Thanks,
>> Sebastian
>> On 24 Jun 2007, at 16:09, Rainer Jung wrote:
>>> Look for "CVE-2007-0450" in
>>>
>>> http://tomcat.apache.org/security-6.html
>>>
>>> Regards,
>>>
>>> Rainer
>>>
>>> Sebastian Kruk wrote:
>>>> Hello,
>>>> just a quick question. Why URI like the following:
>>>> http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%
>>>> 3A%2F%2Fdmoz.org%2FTop result in error 400 - incorrect URI -
>>>> noSlash error in Tomcat 6.0.13,
>>>> but were correctly handled in Tomcat 5.5 ?
>>>> After investigating a little I have noticed that the problem is
>>>> in %2F sequence (URI encoding of /).
>>>> Is there any HTTP specification detail that I have missed or is
>>>> it, as I think it is, a bug in Tomcat 6?
>>>> Thanks for any hints,
>>>> Cheers,
>>>> Sebastian
>>>> --------------------------------------------
>>>> -- Sebastian Ryszard Kruk
>>>> -- Lead Researcher, Project Manager
>>>> -- Semantic Infrastructure Lab, eLearning Cluster
>>>> -- Digital Enterprise Research Institute-- National
>>>> University of Ireland, Galway-- mailto: sebastian.kruk@deri.org
>>>> -- GG: 335067, Jabber: s_kruk@chrome.pl
>>>> -- Skype: sebastiankruk
>>>> -- WWW: http://www.sebastiankruk.com/-- mobile (IRL): +353
>>>> 85 7126591
>>>> -- VoIP (PL): +48 52 5110114
>>>> --------------------------------------------
>>>> -------------------------------------------------------------------
>>>> --
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>> --
>>> --
>>> kippdata
>>> informationstechnologie GmbH Tel: 0228 98549 -0
>>> Bornheimer Str. 33a Fax: 0228 98549 -50
>>> 53111 Bonn www.kippdata.de
>>>
>>> HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
>>> Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
>>> ===============================
>>> kippdata
>>> informationstechnologie GmbH Tel: +49 228 98549 -0
>>> Bornheimer Str. 33a Fax: +49 228 98549 -50
>>> D-53111 Bonn www.kippdata.de
>>>
>>> HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
>>> Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
>>>
>>> --------------------------------------------------------------------
>>> -
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>> --------------------------------------------
>> -- Sebastian Ryszard Kruk
>> -- Lead Researcher, Project Manager
>> -- Semantic Infrastructure Lab, eLearning Cluster
>> -- Digital Enterprise Research Institute-- National University
>> of Ireland, Galway-- mailto: sebastian.kruk@deri.org
>> -- GG: 335067, Jabber: s_kruk@chrome.pl
>> -- Skype: sebastiankruk
>> -- WWW: http://www.sebastiankruk.com/-- mobile (IRL): +353 85
>> 7126591
>> -- VoIP (PL): +48 52 5110114
>> --------------------------------------------
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> --
> --
> kippdata
> informationstechnologie GmbH Tel: 0228 98549 -0
> Bornheimer Str. 33a Fax: 0228 98549 -50
> 53111 Bonn www.kippdata.de
>
> HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
> Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
> ===============================
> kippdata
> informationstechnologie GmbH Tel: +49 228 98549 -0
> Bornheimer Str. 33a Fax: +49 228 98549 -50
> D-53111 Bonn www.kippdata.de
>
> HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
> Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
--------------------------------------------
-- Sebastian Ryszard Kruk
-- Lead Researcher, Project Manager
-- Semantic Infrastructure Lab, eLearning Cluster
-- Digital Enterprise Research Institute
-- National University of Ireland, Galway
-- mailto: sebastian.kruk@deri.org
-- GG: 335067, Jabber: s_kruk@chrome.pl
-- Skype: sebastiankruk
-- WWW: http://www.sebastiankruk.com/
-- mobile (IRL): +353 85 7126591
-- VoIP (PL): +48 52 5110114
--------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: URI handling bug in Tomcat 6.0.13?
Posted by Rainer Jung <ra...@kippdata.de>.
You didn't really read the part of the page I referred to and instead
decided to read the CVE. The page I sent you will tell you about System
properties that make the behaviour configurable.
Sebastian Kruk wrote:
> Thanks,
>
> so if I got it right - due to some security reasons:
>
> "Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x
> before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules
> (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read
> arbitrary files via a .. (dot dot) sequence with combinations of (1) "/"
> (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C)
> characters in the URL, which are valid separators in Tomcat but not in
> Apache."
>
> ... I cannot use sequence of .. (dot dot), /, \ and %5C
>
> Yes, but, it is strange since I do have neither (dot dot) nor %5C nor
> \ [we cannot ban / completely, right?],
> Tomcat seems to be reacting strange on %2F, which have to be URLEncoded,
> since this is a URI I am passing to an internal procedure,
> if this URI is not URL encoded - than my regexp defined REST services
> endpoints will freak out and consider only all they will see till / as a
> parameter.
>
> As I said before - it seems that Tomcat is sensitive to a %2F in my URI,
> which is not on the list above.
>
> http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%3A%2F%2Fdmoz.org%2FTop
>
>
> Can you, please, explain what is wrong with this URI? I got a feeling
> that although the CVE-2007-0450 might be important, it has been
> implemented in wrong way?
>
> Thanks,
>
> Sebastian
>
>
>
> On 24 Jun 2007, at 16:09, Rainer Jung wrote:
>
>> Look for "CVE-2007-0450" in
>>
>> http://tomcat.apache.org/security-6.html
>>
>> Regards,
>>
>> Rainer
>>
>> Sebastian Kruk wrote:
>>> Hello,
>>> just a quick question. Why URI like the following:
>>> http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%3A%2F%2Fdmoz.org%2FTop
>>> result in error 400 - incorrect URI - noSlash error in Tomcat 6.0.13,
>>> but were correctly handled in Tomcat 5.5 ?
>>> After investigating a little I have noticed that the problem is in
>>> %2F sequence (URI encoding of /).
>>> Is there any HTTP specification detail that I have missed or is it,
>>> as I think it is, a bug in Tomcat 6?
>>> Thanks for any hints,
>>> Cheers,
>>> Sebastian
>>> --------------------------------------------
>>> -- Sebastian Ryszard Kruk
>>> -- Lead Researcher, Project Manager
>>> -- Semantic Infrastructure Lab, eLearning Cluster
>>> -- Digital Enterprise Research Institute-- National University of
>>> Ireland, Galway-- mailto: sebastian.kruk@deri.org
>>> -- GG: 335067, Jabber: s_kruk@chrome.pl
>>> -- Skype: sebastiankruk
>>> -- WWW: http://www.sebastiankruk.com/-- mobile (IRL): +353 85
>>> 7126591
>>> -- VoIP (PL): +48 52 5110114
>>> --------------------------------------------
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> --
>> --
>> kippdata
>> informationstechnologie GmbH Tel: 0228 98549 -0
>> Bornheimer Str. 33a Fax: 0228 98549 -50
>> 53111 Bonn www.kippdata.de
>>
>> HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
>> Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
>> ===============================
>> kippdata
>> informationstechnologie GmbH Tel: +49 228 98549 -0
>> Bornheimer Str. 33a Fax: +49 228 98549 -50
>> D-53111 Bonn www.kippdata.de
>>
>> HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
>> Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> --------------------------------------------
> -- Sebastian Ryszard Kruk
> -- Lead Researcher, Project Manager
> -- Semantic Infrastructure Lab, eLearning Cluster
> -- Digital Enterprise Research Institute-- National University of
> Ireland, Galway-- mailto: sebastian.kruk@deri.org
> -- GG: 335067, Jabber: s_kruk@chrome.pl
> -- Skype: sebastiankruk
> -- WWW: http://www.sebastiankruk.com/-- mobile (IRL): +353 85 7126591
> -- VoIP (PL): +48 52 5110114
> --------------------------------------------
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
--
kippdata
informationstechnologie GmbH Tel: 0228 98549 -0
Bornheimer Str. 33a Fax: 0228 98549 -50
53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
===============================
kippdata
informationstechnologie GmbH Tel: +49 228 98549 -0
Bornheimer Str. 33a Fax: +49 228 98549 -50
D-53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: URI handling bug in Tomcat 6.0.13?
Posted by Sebastian Kruk <se...@deri.org>.
Thanks,
so if I got it right - due to some security reasons:
"Directory traversal vulnerability in Apache HTTP Server and Tomcat
5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy
modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to
read arbitrary files via a .. (dot dot) sequence with combinations of
(1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%
5C) characters in the URL, which are valid separators in Tomcat but
not in Apache."
... I cannot use sequence of .. (dot dot), /, \ and %5C
Yes, but, it is strange since I do have neither (dot dot) nor %5C
nor \ [we cannot ban / completely, right?],
Tomcat seems to be reacting strange on %2F, which have to be
URLEncoded, since this is a URI I am passing to an internal procedure,
if this URI is not URL encoded - than my regexp defined REST
services endpoints will freak out and consider only all they will see
till / as a parameter.
As I said before - it seems that Tomcat is sensitive to a %2F in my
URI, which is not on the list above.
http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%3A%2F
%2Fdmoz.org%2FTop
Can you, please, explain what is wrong with this URI? I got a feeling
that although the CVE-2007-0450 might be important, it has been
implemented in wrong way?
Thanks,
Sebastian
On 24 Jun 2007, at 16:09, Rainer Jung wrote:
> Look for "CVE-2007-0450" in
>
> http://tomcat.apache.org/security-6.html
>
> Regards,
>
> Rainer
>
> Sebastian Kruk wrote:
>> Hello,
>> just a quick question. Why URI like the following:
>> http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%3A
>> %2F%2Fdmoz.org%2FTop result in error 400 - incorrect URI - noSlash
>> error in Tomcat 6.0.13,
>> but were correctly handled in Tomcat 5.5 ?
>> After investigating a little I have noticed that the problem is in
>> %2F sequence (URI encoding of /).
>> Is there any HTTP specification detail that I have missed or is
>> it, as I think it is, a bug in Tomcat 6?
>> Thanks for any hints,
>> Cheers,
>> Sebastian
>> --------------------------------------------
>> -- Sebastian Ryszard Kruk
>> -- Lead Researcher, Project Manager
>> -- Semantic Infrastructure Lab, eLearning Cluster
>> -- Digital Enterprise Research Institute-- National University
>> of Ireland, Galway-- mailto: sebastian.kruk@deri.org
>> -- GG: 335067, Jabber: s_kruk@chrome.pl
>> -- Skype: sebastiankruk
>> -- WWW: http://www.sebastiankruk.com/-- mobile (IRL): +353 85
>> 7126591
>> -- VoIP (PL): +48 52 5110114
>> --------------------------------------------
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> --
> --
> kippdata
> informationstechnologie GmbH Tel: 0228 98549 -0
> Bornheimer Str. 33a Fax: 0228 98549 -50
> 53111 Bonn www.kippdata.de
>
> HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
> Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
> ===============================
> kippdata
> informationstechnologie GmbH Tel: +49 228 98549 -0
> Bornheimer Str. 33a Fax: +49 228 98549 -50
> D-53111 Bonn www.kippdata.de
>
> HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
> Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
--------------------------------------------
-- Sebastian Ryszard Kruk
-- Lead Researcher, Project Manager
-- Semantic Infrastructure Lab, eLearning Cluster
-- Digital Enterprise Research Institute
-- National University of Ireland, Galway
-- mailto: sebastian.kruk@deri.org
-- GG: 335067, Jabber: s_kruk@chrome.pl
-- Skype: sebastiankruk
-- WWW: http://www.sebastiankruk.com/
-- mobile (IRL): +353 85 7126591
-- VoIP (PL): +48 52 5110114
--------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: URI handling bug in Tomcat 6.0.13?
Posted by Rainer Jung <ra...@kippdata.de>.
Look for "CVE-2007-0450" in
http://tomcat.apache.org/security-6.html
Regards,
Rainer
Sebastian Kruk wrote:
> Hello,
>
> just a quick question. Why URI like the following:
>
> http://localhost:8080/jeromedl/mbb/filter/marcont:hasDomain/http%3A%2F%2Fdmoz.org%2FTop
>
>
> result in error 400 - incorrect URI - noSlash error in Tomcat 6.0.13,
> but were correctly handled in Tomcat 5.5 ?
>
> After investigating a little I have noticed that the problem is in %2F
> sequence (URI encoding of /).
>
> Is there any HTTP specification detail that I have missed or is it, as I
> think it is, a bug in Tomcat 6?
>
> Thanks for any hints,
>
> Cheers,
>
> Sebastian
>
>
>
>
> --------------------------------------------
> -- Sebastian Ryszard Kruk
> -- Lead Researcher, Project Manager
> -- Semantic Infrastructure Lab, eLearning Cluster
> -- Digital Enterprise Research Institute-- National University of
> Ireland, Galway-- mailto: sebastian.kruk@deri.org
> -- GG: 335067, Jabber: s_kruk@chrome.pl
> -- Skype: sebastiankruk
> -- WWW: http://www.sebastiankruk.com/-- mobile (IRL): +353 85 7126591
> -- VoIP (PL): +48 52 5110114
> --------------------------------------------
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
--
kippdata
informationstechnologie GmbH Tel: 0228 98549 -0
Bornheimer Str. 33a Fax: 0228 98549 -50
53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
===============================
kippdata
informationstechnologie GmbH Tel: +49 228 98549 -0
Bornheimer Str. 33a Fax: +49 228 98549 -50
D-53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org