Lucene search

K
wallarmlabWallarmWALLARMLAB:4B9CD8EA61596D6E82051B035AEB3DFD
HistoryMay 07, 2018 - 1:46 p.m.

Quick tip: Watch out — restriction by location can be circumvented.

2018-05-0713:46:02
Wallarm
lab.wallarm.com
51

by @Andrey Danau, Wallarm Research

If you are like many app developers, you may be using nginx or apache proxy or a web server on the front end of your application. If you are on a tight schedule, it is tempting to tie authorization and data controls simply to the locations defined in the front end.

Here lies a pitfall — due to a different treatment of the location path by the java-based back-end and the front-end. Because of this, it is possible to bypass the location-based restrictions.

Let’s consider an example where a basic authorization can be circumvented.

The example in this post was tested with Apache/2.4.27 (Ubuntu), nginx/1.10.3(Ubuntu)

Apache configuration was as follows:

<VirtualHost *:80>


ServerAdmin webmaster@localhost  
DocumentRoot /var/www/html  
ErrorLog ${APACHE_LOG_DIR}/error.log  
CustomLog ${APACHE_LOG_DIR}/access.log combined  
<Location /resin-doc/>  
AuthType Basic  
AuthName ‘test’  
AuthUserFile ‘/etc/.htpasswd’  
Require valid-user  
</Location>


ProxyPass / <http://0.0.0.0:8080/>  
ProxyPassReverse / <http://0.0.0.0:8080/>  
</VirtualHost>

For nginx:

location / {  
             proxy_pass <http://localhost:8080;>  
           }  
location /resin-doc/ {  
                      auth_basic “closed site”;  
                      auth_basic_user_file /etc/.htpasswd;  
                     }

Apache or nginx were used as front-end with a proxy to backend on port *:8080; backend is implemented with a web server running on Resin/4.0.55

Using Apache or nginx as a proxy server to Resin we can circumvent location restrictions, for example when they are used for the authorization.

URL <http://localhost/resin-doc/&gt; will request the credentials (login name and password) with a special request that will look similar to this: http://localhost/��resin-doc��index.xtp

(%C0%AF is a unicode encoded symbol “/”)

Alternatively, the request can take a form of <http://localhost/resin-doc\index.xtp&gt;

Resin normalizes “\” into “/”.

Unlike Resin, neither Apache nor nginx change the path at all and do not normalize which means that by the time location is presented to the back-end it looks like <http://localhost/resin-doc/index.xtp&gt; , and the location restrictions are bypassed.

Although this case can be considered a simple configuration error, the consequences can be quite serious. Watch out for it.


Quick tip: Watch out — restriction by location can be circumvented. was originally published in Wallarm on Medium, where people are continuing the conversation by highlighting and responding to this story.