by @Andrey Danau, Wallarm Research
If you are like many app developers, you may be using nginx or apache proxy or a web server on the front end of your application. If you are on a tight schedule, it is tempting to tie authorization and data controls simply to the locations defined in the front end.
Here lies a pitfall — due to a different treatment of the location path by the java-based back-end and the front-end. Because of this, it is possible to bypass the location-based restrictions.
Let’s consider an example where a basic authorization can be circumvented.
The example in this post was tested with Apache/2.4.27 (Ubuntu), nginx/1.10.3(Ubuntu)
Apache configuration was as follows:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Location /resin-doc/>
AuthType Basic
AuthName ‘test’
AuthUserFile ‘/etc/.htpasswd’
Require valid-user
</Location>
ProxyPass / http://0.0.0.0:8080/
ProxyPassReverse / http://0.0.0.0:8080/
</VirtualHost>
For nginx:
location / {
proxy_pass http://localhost:8080;
}
location /resin-doc/ {
auth_basic “closed site”;
auth_basic_user_file /etc/.htpasswd;
}
Apache or nginx were used as front-end with a proxy to backend on port *:8080; backend is implemented with a web server running on Resin/4.0.55
Using Apache or nginx as a proxy server to Resin we can circumvent location restrictions, for example when they are used for the authorization.
URL http://localhost/resin-doc/ will request the credentials (login name and password) with a special request that will look similar to this: http://localhost/%C0%AFresin-doc%C0%AFindex.xtp
(%C0%AF is a unicode encoded symbol “/”)
Alternatively, the request can take a form of http://localhost/resin-docindex.xtp
Resin normalizes “” into “/”.
Unlike Resin, neither Apache nor nginx change the path at all and do not normalize which means that by the time location is presented to the back-end it looks like http://localhost/resin-doc/index.xtp , and the location restrictions are bypassed.
Although this case can be considered a simple configuration error, the consequences can be quite serious. Watch out for it.
