10.8 Do not allow additional path delimiters (ALLOW_BACKSLASH)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were previously blocked a proxy like mod_proxy.

Solution

Start Tomcat with ALLOW_BACKSLASH set to false and ALLOW_ENCODED_SLASH set to false. Add the following to your startup script:
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false

See Also

https://workbench.cisecurity.org/files/267

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-10

Plugin: Unix

Control ID: ad379cad13c6457e9e76ee9006953e4749a072ef4f2374fd34fc89c66c1cda6b