Anonymous | Login | Signup for a new account | 12-17-2024 11:40 PST |
Main | My View | View Issues | Change Log | Docs |
Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
0006075 | [Resin] | major | always | 07-27-17 03:28 | 11-21-17 09:43 | ||||
Reporter | stbu | View Status | public | ||||||
Assigned To | ferg | ||||||||
Priority | normal | Resolution | fixed | ||||||
Status | closed | Product Version | 4.0.53 | ||||||
Summary | 0006075: Vulnerable to Web Cache Deception Attack | ||||||||
Description |
Under certain circumstances also Resin seems to be vulnerable to Web Cache Deception Attack due to the URL handling. Please refer to this link for further information regarding this Attack and how PayPal was affected: http://omergil.blogspot.de/2017/02/web-cache-deception-attack.html?m=1 [^] The URL handling of Caucho Resin works in a way that is required by this attack and should be avoided. <quote-from-omer-gil-link> Configure the web server so that for pages such as http://www.example.com/home.php/non-existent.css, [^] the web server doesn’t return the content of "home.php" with this URL. Instead, for example, the server should respond with a 404 or 302 response. </quote-from-omer-gil-link> For example this request will serve the content of reference.xtp and not return a 404 for the non-existent.css: http://caucho.com/resin-4.0/reference.xtp/non-existent.css [^] The other requirements for the attack might be beyond the control of a Resin powered host. For example if using Cloudflare and their Cache in front of Resin. Please refer also to their blog post regarding this: https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/ [^] <quote-from-cloudflare-link> Defending Against the Web Cache Deception Attack The best way to defend against this attack is to ensure that your website isn't so permissive, and never treats requests to nonexistent paths (say, /x/y/z) as equivalent to requests to valid parent paths (say, /x). In the example above, that would mean that requests to /newsfeed/foo or /newsfeed/foo.jpg wouldn't be treated as equivalent to requests to /newsfeed, but would instead result in some kind of error or a redirect to a legitimate page. </quote-from-cloudflare-link> Can the URL handling of Caucho Resin be changed to mitigate such attacks or is there maybe a possibility to mitigate this with some kind of a Url rewriting and dispatching Rule like if JspServlet is triggered but the requests file extensions does not match with the url-patters mapped to JspServlet? |
||||||||
Additional Information | |||||||||
Attached Files | |||||||||
|
Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
34 total queries executed. 28 unique queries executed. |