Shulou(Shulou.com)05/31 Report--

This article introduces you how to achieve Apache Tomcat security to bypass loopholes recurrence, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Encyclopedia of thousands of miles

Apache Tomcat is a Servlet container developed by the Jakarta project under the Apache Software Foundation. According to the technical specifications provided by Sun Microsystems, it supports Servlet and Java Server Page (JSP), and provides some unique functions as a Web server, such as Tomcat management and control platform, security domain management and Tomcat valve. Tomcat is very popular with programmers because of its small system resources, good expansibility and support for load balancing and mail services, which are commonly used in developing application systems.

Vulnerability description

This time the security bypass vulnerability of Apache Tomcat appears in some versions of Tomcat. The security constraint defined by the Apache Tomcat Servlet annotation is applied only after the Servlet is loaded. Because the security constraints defined in this way apply to the URL schema and any URL below that point, they may not apply to some security constraints depending on the order in which the Servlet is loaded. Attackers can exploit this vulnerability to bypass certain security restrictions to perform unauthorized operations to achieve the purpose of the attack.

Loophole recurrence

The above description may be too professional, we have prepared a case for friends to have an intuitive understanding.

Because the prerequisite for triggering this vulnerability is:

The business system is deployed in an earlier version of Tomcat.

Business systems define security constraints through annotations.

Based on this, a set of running environment of JDK1.8,Apache Tomcat 8.5.24 is built.

Create a new Web project and import jar package files such as annotations-api.jar (annotations-api.jar is the jar package required for annotations, and an error will be reported if you do not import it).

Since ServletSecurity comments can be directly used to modify Java Servlet and protect Servlet like ACL, if you add ServletSecurity comments in ServletSecurity and no ServletSecurity comments in servlet_two, unauthorized access may be caused. Create new servlet_one.java and servlet_two.java files as follows:

From the comparison of the above two files, it is clear that ServletSecurity comments are added before servlet_one, while there are no ServletSecurity comments before servlet_two.

Modify the web.xml file as follows (give the name and custom URL to servlet in web.xml. Assign the name with the servlet element, and use the servlet-mapping element to associate the custom URL with the name you just assigned. )

Here we can clearly see that there are two servlet (servlet_one and servlet_two). The access path of servlet_one is "/ servlet1/" and the access path of servlet_two is "/ servlet1/servlet2". Because the vulnerable version is not applicable to some security constraints according to the loading order of Servlet, it directly accesses / servlet1/servlet2 without accessing / servlet1/, which makes the ServletSecurity annotation of servlet1 not effective and does not protect the "/ servlet1/servlet2" path. May lead to the risk of some resource leakage.

At this time, the access path "/ servlet1/" of servlet_one is accessed directly, and the ServletSecurity annotation takes effect and access to this resource is denied.

Without restarting Tomcat, when you access the access path "/ servlet1/" of servlet_one once and then access the access path "/ servlet1/servlet2" of servlet_two again, the ServletSecurity annotation has been triggered, so you cannot access the servlet_two resource again, and you will be prompted to deny access to the resource. (this method can be used as a temporary defense method, but it is not recommended and should be upgraded as soon as possible.)

Affect the version

Repair suggestion

Because it is easy to trigger the security constraints of the website without knowing the structure of each other's website, it is difficult to exploit this vulnerability. However, it is recommended that friends update to Apache Tomcat 8.5.28 Apache Tomcat 8.0.50 Apache Tomcat 7.0.85 in time.

On how to achieve Apache Tomcat security bypass loopholes to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.