[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369 --- Comment #5 from Christopher Schultz --- (In reply to Mark Thomas from comment #3) > The canonical path check is still required to enforce the required case > sensitivity. > > The Window APIs, most likely for reasons dating back to how 8.3 filenames > were stored [1], ignore trailing periods in file names. That explains why > allowLinking="true" enables this vulnerability. As far as the OS APIs are > concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting > allowLinking="true" bypasses the additional checks Tomcat performs to ensure > an exact match between the requested path and the canonical path. > > Just need confirmation from the OP that allowLinking="true" was being used > and this issue can be closed. > > [1] > https://superuser.com/questions/585097/why-does-ntfs-disallow-the-use-of- > trailing-periods-in-directory-names I propose the following: 1. On Windows, check for "/WEB-INF." and any other special paths which are already checked for access. and/or 2. On Windows, if allowLinking="true", drop a GIANT ERROR to stdout and do a Thread.sleep(5mins) before proceeding with bringing up the server. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369 Brett Schoppert changed: What|Removed |Added Resolution|--- |INVALID Status|NEEDINFO|RESOLVED --- Comment #4 from Brett Schoppert --- Yes, in this context allowLinking was set to true ... resolving the issue. Thanks for the feedback. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369 Mark Thomas changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #3 from Mark Thomas --- The canonical path check is still required to enforce the required case sensitivity. The Window APIs, most likely for reasons dating back to how 8.3 filenames were stored [1], ignore trailing periods in file names. That explains why allowLinking="true" enables this vulnerability. As far as the OS APIs are concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting allowLinking="true" bypasses the additional checks Tomcat performs to ensure an exact match between the requested path and the canonical path. Just need confirmation from the OP that allowLinking="true" was being used and this issue can be closed. [1] https://superuser.com/questions/585097/why-does-ntfs-disallow-the-use-of-trailing-periods-in-directory-names -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369 --- Comment #2 from Remy Maucherat --- The canonical path comparison is a last resort safety net. So it's still useful then, that's interesting. If you confirm the behavior, it seems we're good as is, the check is supposed to catch this and prevent trouble (but then a webapp has to be fully packaged as per the specification). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369 Svetlin Zarev changed: What|Removed |Added CC||svetlin.za...@abv.bg -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369 Mark Thomas changed: What|Removed |Added OS||All --- Comment #1 from Mark Thomas --- As per http://tomcat.apache.org/security.html security vulnerabilities should be reported privately to the Apache Tomcat Security Team - not via the public bug tracker. Reporting vulnerabilities publicly potentially exposes all Tomcat users to the vulnerability until the vulnerability is patched. Unfortunately, once information on a vulnerability is made public it can't be made private. Given the circumstances, we might as well make the best of this and use it as an opportunity to give the Tomcat community an insight into how the Tomcat security team addresses a security vulnerability and keep discussion on this issue in the open. There is one caveat. If, during the investigation, we uncover a separate but related security issue we will keep that information private until that separate issue is resolved. My initial reaction to this report is that - knowing how the WEB-INF check is implemented - I'd be surprised if this was valid. The usual way the check is bypassed on Windows is setting allowLinking=true (and setting that on Windows is a configuration error). In this case I don't think that would allow the behaviour seen here. Other possible causes are a poorly configured reverse proxy or an unusual configuration of appBase and docBase Next steps are to see if the report can be reproduced. I don't have a Windows Server 2012 R2 install to hand so I have started the process to set one up. While the 2012 R2 ISO is downloading, I tested a clean build of the latest 8.5.x code running on Windows 7 and I do not see this behaviour. i.e. http://localhost:8080/WEB-INF./web.xml returns a 404. If I set allowLinking="true" I do see the behaviour described here. That is a surprise. The good news is that that makes this a configuration error. There is a very clear warning in the documentation that setting allowLinking="true" on Windows or any platform with a case insensitive file system will create security issues. However, before resolving this issue as invalid we need to: - confirm with the OP that they had set allowLinking="true" - figure out why allowLinking="true" allows this particular bypass to occur -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369 Brett Schoppert changed: What|Removed |Added OS||Windows Server 2012 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org