Debian Question posted in
The oficial documentation can be found here.

How to fix directory traversal vulnerability on Tomcat 9 – Debian

I have a JEE service on a Tomcat 9 container (Debian 10.8). In front of it an Apache Web Server + mod_proxy_ajp.

In my VH I do not have any ProxyPass rule for /manager/html context but if on a Web client I rewrite my URL adding /..;/manager/html (e.g.: https://www.example.org/site/..;/manager/html) the Tomcat Manager asks for crediatials.

Is there a trick to avoid it? Maybe using modsecurity?
Thanks.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I solved the problem using a mod_security rules:

    SecRule REQUEST_URI "@rx ..;/" "phase:1,severity:'CRITICAL',deny,id:129"

    It works.


  2. 0

    Since path parameters are only used in Tomcat for session tracking (as an alternative to cookies), you can safely remove them in Apache2 from the .. path segment :

    RewriteEngine on
RewriteRule ^(.*)/..;[^/]*(.*)$ $1/..$2 [N]

    Alternatively you can remove them altogether:

    RewriteEngine on
RewriteRule ^(.*);[^/]*(.*)$ $1$2 [N]

    and configure Tomcat to use only cookies for session tracking in $CATALINA_BASE/conf/web.xml:

        <session-config>
        ...
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search