URL 中的两个连续点将 URL 导航向后移动一步 [英] Two consecutive dots in URL moves the URL navigation one step backward

问题描述

我对 URL 中点-点-分号模式的使用几乎没有怀疑(访问部署在 apache tomcat webapps 文件夹中的 servlet 应用程序).使用 dot-dot-semicolon(/..;/) 使 url 回到一步.原问题(仅点点模式)是目录遍历漏洞，已在最新版本tomcat 6.0.18 , domainname/../manager/html 解决标准化为 domainname/manager/html(404 错误).但是在6.0.37中，我们可以用dot-dot-分号重新产生与domainname/..;/manager/html相同的漏洞，然后我们就可以访问tomcat 内部文件夹，例如 admin url，它提示我 tomcat 管理员用户名和密码的凭据.这里domainname是tomcat部署的servlet app访问的客户端URL，客户端URL在httpd.conf中配置为

I have few doubts regarding the usage of the pattern dot-dot-semicolon in the URL(to access servlet app deployed in apache tomcat webapps folder). Using dot-dot-semicolon(/..;/) makes the url back to one step. The original issue(only dot-dot pattern) is a directory traversal vulnerability which has been resolved in latest version than tomcat 6.0.18 , domainname/../manager/html normalized to domainname/manager/html(404 error). But in 6.0.37,we can re-produce the same vulnerability with dot-dot-semicolon as domainname/..;/manager/html, then we can access the tomcat internal folder such as admin url and it prompts me the credentials of tomcat manager username and password. Here domainname is the client URL accessed the servlet app deployed in tomcat and the client url is configured in httpd.conf as

<VirtualHost *:443>
DocumentRoot /usr/local/apache/htdocs/EMPTY

JkMount /* ajp13
RewriteEngine on
RewriteRule ^/(.*) /he/$1 [PT]
</VirtualHost *:80>

我们可以对 RewriteRule 使用任何表达式来避免以下请求 URL 的模式(https://domainname/..;)

Can we use any expression for RewriteRule to avoid the pattern(https://domainname/..;) for the below request URL's

"https://domainname/..;======/xxx/yyyy"
"https://domainname/..;/xxx/yyyy"
"https://domainname/..;abcd/xxx/yyyy"


virtual host settings in apache httpd.conf
<VirtualHost :80>
DocumentRoot /usr/local/apache/htdocs/EMPTY ServerName client.website.com 
RewriteEngine On # Redirect all requests to the local Apache server to port 
8000 
RewriteRule ^/?(.) https://%{SERVER_NAME}/$1 [R,L] 
</VirtualHost>

请提出建议.

谢谢

推荐答案

您无法更改此行为.

大多数浏览器会在请求发送到服务器之前进行标准化(将/aaa/bbb/../ccc 转换为/aaa/ccc).如果这样的请求到达 Tomcat，Tomcat 会在处理之前对其进行规范化.这是为了安全以防止，例如绕过安全限制.无法禁用此功能，并且几乎肯定会拒绝任何要求禁用此功能的请求.

Most browsers will normalize (convert /aaa/bbb/../ccc into /aaa/ccc) before the request is even sent to the server. If such a request reaches Tomcat, Tomcat will always normalise it before processing. This is for security to prevent, for example, bypassing of security constraints. There is no way to disable this and any requests for a feature to allow disabling this will almost certainly be rejected.

对于您引用的 URL，其中 /../ 紧跟在主机之后，Tomcat 将返回 400 响应.同样，如果您尝试在地址栏中输入这些网址，浏览器很可能会更改这些网址.

For the the URLs you quote where /../ follows immediately after the host, Tomcat will return a 400 response. Again, browsers may well change such URLs if you try entering them in the address bar.

这篇关于URL 中的两个连续点将 URL 导航向后移动一步的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！