Bug 237080 (CVE-2007-0450) - CVE-2007-0450 tomcat directory traversal
Summary: CVE-2007-0450 tomcat directory traversal
Alias: CVE-2007-0450
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: All
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 237086 237088 237089 237090 237109 238402 238574 240208 390331 390341 390351 390361 414311 430730 430731 449337 470236 470237
Blocks: 444136
TreeView+ depends on / blocked
Reported: 2007-04-19 11:56 UTC by Mark J. Cox
Modified: 2019-09-29 12:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-02-23 07:22:30 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:1069 0 normal SHIPPED_LIVE Moderate: tomcat security update for Red Hat Network Satellite Server 2007-11-26 13:56:32 UTC
Red Hat Product Errata RHSA-2010:0602 0 normal SHIPPED_LIVE Moderate: Red Hat Certificate System 7.3 security update 2010-08-05 14:04:51 UTC

Description Mark J. Cox 2007-04-19 11:56:53 UTC
From http://tomcat.apache.org/security-5.html

Fixed in Apache Tomcat 5.5.22, 5.0.HEAD

Directory traversal CVE-2007-0450

Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used
behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy
and mod_jk) configured to only proxy some contexts, a HTTP request containing
strings like "/\../" may allow attackers to work around the context restriction
of the proxy, and access the non-proxied contexts.

The following Java system properties have been added to Tomcat to provide
additional control of the handling of path delimiters in URLs (both options
default to false):

      * org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
      * org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false

Due to the impossibility to guarantee that all URLs are handled by Tomcat as
they are in proxy servers, Tomcat should always be secured as if no proxy
restricting context access was used.

Affects: 5.5.0-5.5.21, 5.0.0-5.0.30

Comment 4 Mark J. Cox 2007-04-23 10:39:57 UTC
Advisory text: "Tomcat permitted various characters as path delimiters.  If
Tomcat was used behind a certain proxies and configured to only proxy some
contexts, an attacker could construct a HTTP request to work around the context
restriction and potentially access non-proxied content.  (CVE-2007-0450)"

Comment 5 Jean-frederic Clere 2007-05-02 06:36:33 UTC
If the customer as an unsecure access to /jmx-console or /web-console running on
localhost and use mod_jk/mod_proxy an attack request could get access to them.

Comment 11 errata-xmlrpc 2010-08-04 21:32:29 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html

Note You need to log in before you can comment on or make changes to this bug.