3

I have observed a path normalization issue in the tomcat when i was passing "..;" in the URL. I tested this out with Nginx and Apache-tomcat-10.0.0-M4. I was able to access file directories which are not allowed in the Nginx. Please find the below screenshots for more information,

  1. Nginx Configuration:

Nginx Configuration:

As per the above configuration i have enabled /app/ context path only in Nginx.

  1. I created two directories called App (contains test.html) and App2 (contains test2.html) in the Tomcat ROOT directory.

enter image description here

  1. As per the above Nginx configuration it allows access only to app/test.html. But using semicolon it is possible to access app2/test2.html file as well.

Normal behavior

enter image description here

Behavior with the semicolon

enter image description here

As per the above screenshot, it is allowed to access to the test2.html page via Nginx with semicolon even app2 context path is not define in the Nginx configuration. Also please note that i checked this behavior without the Nginx and it was noted the same behavior. I was able to reproduced this issue directly in the Tomcat 9.0.12 and Tomcat 10.0.0-M4.

enter image description here

enter image description here

Is this already a known issue? or is this the normal behavior in the Tomcat level? A Similar issue has discussed in Blckhat(See below link for more details).

surethiv
  • 31
  • 2
  • Did you mean [this](https://www.blackhat.com/us-18/briefings/schedule/index.html#breaking-parser-logic-take-your-path-normalization-off-and-pop-days-out-10346) ? – paj28 May 12 '20 at 01:02
  • 1
    @paj28, i sent an email to tomcat security team regarding this before posting here. But i didn't get a clear answer and as per their reply it is a normal tomcat behavior. That is why i posted here to get a community support. – surethiv May 13 '20 at 03:22
  • What happens if you configure nginx to serve that same directory, and you send it a URL containing a `/../` path segment? Will it serve `test2.html` and `index.html` as shown in the "vulner" example? I'm asking about nginx's behavior when it's serving directly and not acting as a reverse-proxy. – Christopher Schultz Jul 14 '21 at 21:33

0 Answers0