10.8 Do not allow additional path delimiters (ALLOW_ENCODED_SLASH)

Information

Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were previously blocked a proxy like mod_proxy.

Solution

Start Tomcat with ALLOW_BACKSLASH set to false and ALLOW_ENCODED_SLASH set to false. Add the following to your startup script:
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false

See Also

https://workbench.cisecurity.org/files/266

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-10

Plugin: Unix

Control ID: 7ecc3da894ab4ac7476f2e465c64a839ed1e1f0c1e2231de961de53e6056912d