Red Hat Bugzilla – Bug 237080
CVE-2007-0450 tomcat directory traversal
Last modified: 2012-02-23 02:22:30 EST
Fixed in Apache Tomcat 5.5.22, 5.0.HEAD
Directory traversal CVE-2007-0450
Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used
behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy
and mod_jk) configured to only proxy some contexts, a HTTP request containing
strings like "/\../" may allow attackers to work around the context restriction
of the proxy, and access the non-proxied contexts.
The following Java system properties have been added to Tomcat to provide
additional control of the handling of path delimiters in URLs (both options
default to false):
* org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
* org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false
Due to the impossibility to guarantee that all URLs are handled by Tomcat as
they are in proxy servers, Tomcat should always be secured as if no proxy
restricting context access was used.
Affects: 5.5.0-5.5.21, 5.0.0-5.0.30
Advisory text: "Tomcat permitted various characters as path delimiters. If
Tomcat was used behind a certain proxies and configured to only proxy some
contexts, an attacker could construct a HTTP request to work around the context
restriction and potentially access non-proxied content. (CVE-2007-0450)"
If the customer as an unsecure access to /jmx-console or /web-console running on
localhost and use mod_jk/mod_proxy an attack request could get access to them.
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html