Discussion:
Question regarding CVE-2018-11784
Yoli Mana
2018-10-29 11:29:39 UTC
Permalink
Hi All,

Looking at the description of the below vulnerability. It is not clear to
me if this is only relevant to those who use Tomcat for serving static
files (since they are talking about directory redirection).
If our Tomcat instance is used only to serve dynamic content, is the
vulnerability is relevant to us?

Thanks,

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11,
8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory
(e.g. redirecting to '/foo/' when the user requested '/foo') a specially
crafted URL could be used to cause the redirect to be generated to any URI
of the attackers choice.
Mark Thomas
2018-10-29 12:18:17 UTC
Permalink
Post by Yoli Mana
Hi All,
Looking at the description of the below vulnerability. It is not clear to
me if this is only relevant to those who use Tomcat for serving static
files (since they are talking about directory redirection).
If our Tomcat instance is used only to serve dynamic content, is the
vulnerability is relevant to us?
If your application does not make use of Tomcat's default servlet then
you will not be affected by this vulnerability. You would need to check
the servlet mappings for the application to determine if Tomcat's
default servlet would be used to respond to any requests.

Mark
Post by Yoli Mana
Thanks,
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11,
8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory
(e.g. redirecting to '/foo/' when the user requested '/foo') a specially
crafted URL could be used to cause the redirect to be generated to any URI
of the attackers choice.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2018-10-29 13:35:47 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Yoli,
Post by Mark Thomas
Post by Yoli Mana
Hi All,
Looking at the description of the below vulnerability. It is not
clear to me if this is only relevant to those who use Tomcat for
serving static files (since they are talking about directory
redirection). If our Tomcat instance is used only to serve
dynamic content, is the vulnerability is relevant to us?
If your application does not make use of Tomcat's default servlet
then you will not be affected by this vulnerability. You would need
to check the servlet mappings for the application to determine if
Tomcat's default servlet would be used to respond to any requests.
... and it almost certainly would be used for that purpose at some
point. You should expect that your server is indeed vulnerable and you
should upgrade.

- -chris

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvXDLMACgkQHPApP6U8
pFjAgA/+L7hTuE5PLDS0fvntgrqe830DR4+J+I2avfRG5qF+SYGS6Hl436jlOnde
V+cwOzs5fapvbj4XpNsKtP5yUMV/MhVOFsgHUpn6qIvRHJEr0SW38VdAOX9yySFL
WEgYU3n3toIgAuXw02vuvxR+c6A3GxYeeXy3pEK9w4HVZYBDgoeXS0QnM0DMfJtN
V50t9ZdrQtqKLRd9NrQX4s6TWPDvdAggrLSdsBRPYYf7vF4wOyjH7c5qiO2+XsvJ
gAq/0WXiQ7lSyRATtTs/zqy/lXuiIu2JKddx9uenYTk4AgWk2uLGrMdjKg0W38RY
Loq1twuqF9Gmn9pOPoU0Q+UvPxim9RKoZ8RpSmLAfIH2vLChl0ET9+OlsquWyTQt
4AuphfE2W2+lO2N7rCDllytwxLcpuM1U+8ayld2KaDkkUcSI0NW2jV+h1x9ED9G5
MwsL2o/2H9+DuIGW7sZNpijRTUClWVdatAGUOt8BkMFDFKImhrlJQP1wZdBWcZaZ
v/dcFP089bEDOBxPprk+m2qyuwqRIJqzwuHLP4uPMPLnZD/G5RP4UGkUrVweVa8s
b1HXTkIY+c18nO0D/B+Pbe8F5V+AN8au2FV25sXd7uFa+OqnBIVUTYfVxkdoorLm
P4e99q2duTyW/ifm+PVEGMDAnOhVp726J7gZNSpWClbxnTX76rQ=
=hz4z
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Loading...