Bug 237656 - (CVE-2007-1860) CVE-2007-1860 mod_jk sends decoded URL to tomcat
CVE-2007-1860 mod_jk sends decoded URL to tomcat
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20070420,source=asf,impact=i...
: Security
Depends On: 237657 237658 240947 242451 430726 430727 449337
Blocks: 444136
  Show dependency treegraph
 
Reported: 2007-04-24 11:06 EDT by Mark J. Cox (Product Security)
Modified: 2010-05-11 04:57 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-11 04:57:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for tomcat-connectors change the default value of JK_OPT_FWDURIDEFAUL (1.58 KB, patch)
2007-05-15 12:12 EDT, Jean-frederic Clere
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2007-04-24 11:06:36 EDT
It was reported that the patch CVE-2007-0450 was insufficient as a carefully
crafted encoded URL could still bypass a proxy.  However this is due to an
interaction with mod_jk, where mod_jk sends a decoded URL to Tomcat but it
should send a raw URL.

Jean-Frederic writes:

What mod_jk sends to Tomcat
+++
12 34 01 A9 02 02 00 08 48 54 54 50 2F 31 2E 31  - .4......HTTP/1.1
00 00 1A 2F 6D 79 61 70 70 2F 25 32 45 25 32 45  - .../myapp/%2E%2E
2F 6D 61 6E 61 67 65 72 2F 68 74 6D 6C 00 00 0C  - /manager/html...
+++
Tomcat decodes the %2E%2E into .. and normalises /myapp/../manager/html
to /manager/html.

The Tomcat security team give this advice:

Due to the impossibility to guarantee that all URLs are handled by Tomcat as
they are in every possible proxy server, Tomcat should always be secured as if
no proxy restricting context access was used. 

Note that this issue is not yet public.
Comment 1 Mark J. Cox (Product Security) 2007-04-24 11:12:46 EDT
Jean-Frederic said that "JkOptions ForwardURICompatUnparsed" should prevent
the problem and mod_jk code should be changed to use it as default value.
(The actual value ForwardURICompat breaks the spec's).
Comment 2 Vivek Lakshmanan 2007-04-24 14:47:08 EDT
(In reply to comment #1)
> Jean-Frederic said that "JkOptions ForwardURICompatUnparsed" should prevent
> the problem and mod_jk code should be changed to use it as default value.
> (The actual value ForwardURICompat breaks the spec's).

ForwardURICompat is the default option and can be overriden with something like
JkOptions +ForwardURICompatUnparsed in the conf file. Note that we dont install
a conf files for mod_jk - we have samples, so the change cant be made in the
conf file. Our samples dont mention JkOptions either so customers using them
will use the default.

Is Jean-Frederic suggesting that the code be made to use
ForwardURICompatUnparsed by default? Is there a patch for this? Note that
documentation would need to be updated for this as well since most of it
suggests that the default is ForwardURICompat.
Comment 3 Vivek Lakshmanan 2007-04-24 14:54:50 EDT
[Adding Jean-Frederic to CC list]
JF - Can you take a look at the above and let me know what you think?
 
Comment 4 Jean-frederic Clere 2007-04-24 17:02:13 EDT
Yes the mod_jk code should be made to use ForwardURICompatUnparsed by default.
No there isn't a patch for the moment.
Comment 5 Vivek Lakshmanan 2007-04-25 10:16:59 EDT
(In reply to comment #4)
> Yes the mod_jk code should be made to use ForwardURICompatUnparsed by default.
> No there isn't a patch for the moment.
Thanks for the clarification. Please update the BZ when a patch is available.

Comment 7 Jean-frederic Clere 2007-05-15 12:12:21 EDT
Created attachment 154748 [details]
Patch for tomcat-connectors change the default value of JK_OPT_FWDURIDEFAUL

Patch for svn.apache.org/repos/asf/tomcat/connectors/trunk (15/05/2007).
It changes the default behaviour of mod_jk and have not yet been committed in
te ASF repos.
Comment 8 Mark J. Cox (Product Security) 2007-05-23 05:27:58 EDT
this is now public at http://tomcat.apache.org/security-jk.html, removing embargo

Note You need to log in before you can comment on or make changes to this bug.