10.8 Do not allow additional path delimiters - ALLOW_ENCODED_SLASH

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were previously blocked by a proxy like mod_proxy.

Rationale:

Allowing additional path-delimiters allows for an attacker to get to an application or area which was not previously visible.

Solution

To start Tomcat with ALLOW_BACKSLASH and ALLOW_ENCODED_SLASH set to false, add -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false and -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false to your startup script.

Default Value:

By default both parameters are set to false.

References:

https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html

See Also

https://workbench.cisecurity.org/files/2509

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-10, CSCv7|5.1

Plugin: Unix

Control ID: 691a87df5f95d81d3a054d398bee84162178799dfcde9313bac5afd3eb7150ad