Question regarding CVE-2018-11784

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding CVE-2018-11784

Yoli Mana
Hi All,

Looking at the description of the below vulnerability. It is not clear to
me if this is only relevant to those who use Tomcat for serving static
files (since they are talking about directory redirection).
If our Tomcat instance is used only to serve dynamic content, is the
vulnerability is relevant to us?

Thanks,

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11,
8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory
(e.g. redirecting to '/foo/' when the user requested '/foo') a specially
crafted URL could be used to cause the redirect to be generated to any URI
of the attackers choice.
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding CVE-2018-11784

markt
On 29/10/18 11:29, Yoli Mana wrote:
> Hi All,
>
> Looking at the description of the below vulnerability. It is not clear to
> me if this is only relevant to those who use Tomcat for serving static
> files (since they are talking about directory redirection).
> If our Tomcat instance is used only to serve dynamic content, is the
> vulnerability is relevant to us?

If your application does not make use of Tomcat's default servlet then
you will not be affected by this vulnerability. You would need to check
the servlet mappings for the application to determine if Tomcat's
default servlet would be used to respond to any requests.

Mark

>
> Thanks,
>
> When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11,
> 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory
> (e.g. redirecting to '/foo/' when the user requested '/foo') a specially
> crafted URL could be used to cause the redirect to be generated to any URI
> of the attackers choice.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding CVE-2018-11784

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Yoli,

On 10/29/18 08:18, Mark Thomas wrote:

> On 29/10/18 11:29, Yoli Mana wrote:
>> Hi All,
>>
>> Looking at the description of the below vulnerability. It is not
>> clear to me if this is only relevant to those who use Tomcat for
>> serving static files (since they are talking about directory
>> redirection). If our Tomcat instance is used only to serve
>> dynamic content, is the vulnerability is relevant to us?
>
> If your application does not make use of Tomcat's default servlet
> then you will not be affected by this vulnerability. You would need
> to check the servlet mappings for the application to determine if
> Tomcat's default servlet would be used to respond to any requests.

... and it almost certainly would be used for that purpose at some
point. You should expect that your server is indeed vulnerable and you
should upgrade.

- -chris

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvXDLMACgkQHPApP6U8
pFjAgA/+L7hTuE5PLDS0fvntgrqe830DR4+J+I2avfRG5qF+SYGS6Hl436jlOnde
V+cwOzs5fapvbj4XpNsKtP5yUMV/MhVOFsgHUpn6qIvRHJEr0SW38VdAOX9yySFL
WEgYU3n3toIgAuXw02vuvxR+c6A3GxYeeXy3pEK9w4HVZYBDgoeXS0QnM0DMfJtN
V50t9ZdrQtqKLRd9NrQX4s6TWPDvdAggrLSdsBRPYYf7vF4wOyjH7c5qiO2+XsvJ
gAq/0WXiQ7lSyRATtTs/zqy/lXuiIu2JKddx9uenYTk4AgWk2uLGrMdjKg0W38RY
Loq1twuqF9Gmn9pOPoU0Q+UvPxim9RKoZ8RpSmLAfIH2vLChl0ET9+OlsquWyTQt
4AuphfE2W2+lO2N7rCDllytwxLcpuM1U+8ayld2KaDkkUcSI0NW2jV+h1x9ED9G5
MwsL2o/2H9+DuIGW7sZNpijRTUClWVdatAGUOt8BkMFDFKImhrlJQP1wZdBWcZaZ
v/dcFP089bEDOBxPprk+m2qyuwqRIJqzwuHLP4uPMPLnZD/G5RP4UGkUrVweVa8s
b1HXTkIY+c18nO0D/B+Pbe8F5V+AN8au2FV25sXd7uFa+OqnBIVUTYfVxkdoorLm
P4e99q2duTyW/ifm+PVEGMDAnOhVp726J7gZNSpWClbxnTX76rQ=
=hz4z
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]