Test it yourself. Are you able to access a directory or file below the
level of the webapps directory, simply by using a specially crafted request?
*With our testing could not access any files/directory outside webapps
folder.*
Thanks & Regards,
Aditi
For example, if inside of your webapps directory, you had symbolic links
leading elsewhere (but I don't think that under Windows this works).
*Inside webapps directory, we do not have any symbolic links.*
In your normal setup, is there any front-end system in front of Tomcat, or
do clients
alwa
>> *Whether someone can get access to any file/directory outside the tomcat
>> webapps folder using "Style 1 (using ..\ equivalent in the URL itself)
>> Directory traversal attack (scoped to Tomcat) on Windows".*
Have you tried this?
How does Tomcat respond?
I tried to access some files outsid
On 22/11/2012 09:52, Aditi Sinha wrote:
> Hi Andre,
>
> Agree with your points.
>
> Just wanted to know more about “Directory Traversal Attack".
> Can it lead to access of directories outside Tomcat/webapps folder also
For the last time, this is in all probability a false positive due to a
crap
Aditi Sinha wrote:
Thanks Guys.
As per my reading of the suggested material and looking at the logs that
Andre has shared, I think there are two ways in which the directory
traversal attack could be made.
1. By having ..\ equivalents in the URL itself
2. By having ..\ equivalents in the request
On 22/11/2012 15:11, David Kerber wrote:
> On 11/22/2012 8:35 AM, Aditi Sinha wrote:
>> Thanks Guys.
>>
>> As per my reading of the suggested material and looking at the logs that
>> Andre has shared, I think there are two ways in which the directory
>> traversal attack could be made.
>>
>> 1. By h
On 11/22/2012 8:35 AM, Aditi Sinha wrote:
Thanks Guys.
As per my reading of the suggested material and looking at the logs that
Andre has shared, I think there are two ways in which the directory
traversal attack could be made.
1. By having ..\ equivalents in the URL itself
2. By having ..\ equ
Thanks Guys.
As per my reading of the suggested material and looking at the logs that
Andre has shared, I think there are two ways in which the directory
traversal attack could be made.
1. By having ..\ equivalents in the URL itself
2. By having ..\ equivalents in the request parameters.
In my c
Athanasios Kostopoulos wrote:
On 22/11/12 10:52, Aditi Sinha wrote:
Hi Andre,
Agree with your points.
Just wanted to know more about “Directory Traversal Attack".
Can it lead to access of directories outside Tomcat/webapps folder also
or can it just try to access the applications within Tom
On 22/11/12 10:52, Aditi Sinha wrote:
Hi Andre,
Agree with your points.
Just wanted to know more about “Directory Traversal Attack".
Can it lead to access of directories outside Tomcat/webapps folder also
or can it just try to access the applications within Tomcat/webapps
folder only?
Than
Hi Andre,
Agree with your points.
Just wanted to know more about “Directory Traversal Attack".
Can it lead to access of directories outside Tomcat/webapps folder also
or can it just try to access the applications within Tomcat/webapps
folder only?
Thanks & Regards,
Aditi
If you top-post (which is strongly discouraged on this list), it makes it very difficult
to answer your questions and still leave the whole thing understandable for other people
who may try to follow this thread.
Aditi Sinha wrote:
Hi Mark, Chuck,
Thanks for the explanation.
On checking fou
On 22 Nov 2012, at 07:34, Aditi Sinha wrote:
> Hi Mark, Chuck,
>
> Thanks for the explanation.
>
> On checking found that, below system properties are set to true by our
> application for a requirement.
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:
> true
>
> org.apac
Hi Mark, Chuck,
Thanks for the explanation.
On checking found that, below system properties are set to true by our
application for a requirement.
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:
true
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true
On 21 Nov 2012, at 14:59, "André Warnier" wrote:
> Caldarale, Charles R wrote:
>>> From: Aditi Sinha [mailto:adisinha0...@gmail.com] Subject: Need help to
>>> understand CVE-2007-0450
>>> We have a web server hosted on Tomcat 7.0.22.
>>&g
Caldarale, Charles R wrote:
From: Aditi Sinha [mailto:adisinha0...@gmail.com]
Subject: Need help to understand CVE-2007-0450
We have a web server hosted on Tomcat 7.0.22.
The tool was able to access the Tomcat manager application with the
following URL :
http://localhost:8080/scripts
On 21/11/2012 13:40, Aditi Sinha wrote:
> Hi,
>
> We have a web server hosted on Tomcat 7.0.22.
>
> There are two connectors defined server.xml listening at port 8080 and 8443.
> During vulnerability scan a 3rd party tool reported CVE-2007-0450 “Apache
> Tomcat Directory Traversal Attack” on bot
> From: Aditi Sinha [mailto:adisinha0...@gmail.com]
> Subject: Need help to understand CVE-2007-0450
> We have a web server hosted on Tomcat 7.0.22.
> The tool was able to access the Tomcat manager application with the
> following URL :
> http://localhost:8080/scripts/\../mana
Hi,
We have a web server hosted on Tomcat 7.0.22.
There are two connectors defined server.xml listening at port 8080 and 8443.
During vulnerability scan a 3rd party tool reported CVE-2007-0450 “Apache
Tomcat Directory Traversal Attack” on both ports 8080 and 8443.
The tool was able to access the
19 matches
Mail list logo