Restrict file access in Tomcat

StackOverflow https://stackoverflow.com/questions/13815997

Domanda

There is a serious security issue in our product which runs on apache tomcat server listening on ports 80 and 443. The routing of incoming HTTP/HTTPS packets on these ports is configured by our product classes, which fails to ensure that each requested URL refers to a file that is both located within the web root of the server and is of a type that is allowed to be served.

In particular, packets that match '/error/*' in the url are configured to use the 'docroot' folder as the document root for serving files. And so paths which traverse out of the /error/ (i.e docroot) directory using URL encoded backslashes %5C can also be accessed and downloaded. For example a remote user can give an url like –

    https://MyDomain/error/..%5c..%5csettings.properties

to access the remote file settings.properties that is on the same level as docroot. We are trying to overcome this through firewall rules and network segmentation. But is there a setting in tomcat that can be used to prevent remote users from accessing files outside the project root folder. That would be very useful.

È stato utile?

Soluzione

If you want to restrict direct URL access to some files, put them under WEB-INF directory.

Quote from here (note: the below URL is currently unavalable):
http://www.servletworld.com/servlet-tutorials/web-application-directory-structure.html

Root directory contains a directory named WEB-INF. Anything under the root directory excepting the WEB-INF directory is publicly available, and can be accessed by URL from browser.

WEB-INF directory is a private area of the web application, any files under WEB-INF directory cannot be accessed directly from browser by specifying the URL like http://somesite/WEB-INF/someresource.html. Web container will not serve the content of this directory. However the content of the WEB-INF directory is accessible by the classes within the application. So if there are any resources like JSPs or HTML document that you don’t wish to be accessible directly from web browser, you should place it under WEB-INF directory.

Altri suggerimenti

You could be able to restrict access to your error folder using robots. and also you can map entry to error/* to the redirected page.

Encoding all requests and responses should solve the / -> %5c issue

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top