Home > database >  How to fix directory traversal vulnerability on Tomcat 9
How to fix directory traversal vulnerability on Tomcat 9

Time:09-17

I have a JEE service on a Tomcat 9 container (Debian 10.8). In front of it an Apache Web Server mod_proxy_ajp.

In my VH I do not have any ProxyPass rule for /manager/html context but if on a Web client I rewrite my URL adding /..;/manager/html (e.g.: https://www.example.org/site/..;/manager/html) the Tomcat Manager asks for crediatials.

Is there a trick to avoid it? Maybe using modsecurity? Thanks.

CodePudding user response:

I solved the problem using a mod_security rules:

SecRule REQUEST_URI "@rx ..;/" "phase:1,severity:'CRITICAL',deny,id:129"

It works.

CodePudding user response:

Since path parameters are only used in Tomcat for session tracking (as an alternative to cookies), you can safely remove them in Apache2 from the .. path segment :

RewriteEngine on
RewriteRule ^(.*)/\.\.;[^/]*(.*)$ $1/..$2 [N]

Alternatively you can remove them altogether:

RewriteEngine on
RewriteRule ^(.*);[^/]*(.*)$ $1$2 [N]

and configure Tomcat to use only cookies for session tracking in $CATALINA_BASE/conf/web.xml:

    <session-config>
        ...
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>
  • Related