Mladen Turk wrote: > Mark Thomas wrote: >> >>> Did I mention that uri is *not* decoded twice? >> >> You did and I still don't agree. The root cause of CVE-2007-1860 was a >> double decoding. Once in httpd/mod_jk and once in Tomcat. >> > > Why do you don't agree? > Please provide a use case and confirm your statements are > legitimate.
Note: The name of the directory has been chosen to have greatest variation in behaviour but the general case is any resource name that contains %nn sequences. This isn't a frequent occurrence; I have only seen %nn in a resource name in a webdav context and then not that often. Software: Win XP Home SP2 + patches Sun JDK 1.6.0_01 Tomcat 5.5.x built from svn r545026 mod_jk 1.2.x built from svn r545026 with Visual Studio 6 SP6 mod_jk 1.2.23 downloaded from mirrors mod_jk 1.2.22 downloaded from archive httpd 2.2.4 downloaded from mirrors All software installed on a single machine. Configuration Tomcat defaults Single ajp13 worker jkMount /jsp-examples/* worker1 A simple 'hello world' html file was created at (directories created where required): <appBase>/jsp-examples/%2e%2e/servlets-examples/index.html Test 1: Tomcat only http://localhost:8080/jsp-examples/%252e%252e/servlets-examples/index.html This correctly showed the index.html I created above. Test 2: httpd + mod_jk 1.2.22 + Tomcat http://localhost/jsp-examples/%252e%252e/servlets-examples/index.html This displayed the index.html from the /servlets-examples context. This is security issue CVE-2007-1860. Test 3: httpd + mod_jk 1.2.23 + Tomcat http://localhost/jsp-examples/%252e%225e/servlets-examples/index.html This correctly showed the index.html I created above. The issue here is that any url manipulation (eg mod-rewrite) is bypassed. Test 4: httpd + mod_jk svn r545026 + Tomcat http://localhost/jsp-examples/%252e%252e/servlets-examples/index.html 404 is returned. This is incorrectly blocking access to the resource. My expectation is that: A) A request for http://host:port/jsp-examples/%252e%225e/servlets-examples/index.html returns the correct file for Tomcat standalone and httpd + mod_jk + Tomcat B) No security issues C) The full features of httpd (mod_rewrite etc) are available when using mod_jk Given that B) is a must, does this make A and C mutually exclusive? I don't know mod_jk or httpd well enough to make such a pronouncement but I would be surprised if one of the httpd / mod_jk guru's couldn't find a solution that allows A, B & C. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
