0

Our site was tested by one of the security scanner companies and found known vulnerability. It sounds as "Information Leakage is an application weakness where an application reveals sensitive data".

The server runs ColdFusion 2016 with Tomcat 8.5.42

When security folks run Curl command tool with altered Host name simulating a hack, the server generates java stack error with too much information about the server.

Below is the command:

C:\curl\bin\curl.exe -i -s -k -X "GET" -H "Accept: application/json,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" -H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" -H "Accept-Language: en-us,en;q=0.5" -H "Host: whs'check" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Software Security Group" "https://www.[mysite.com]/"

The output is resulting in java stack error below:

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> The character [&#39;] is never valid in a domain name.</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException: The character [&#39;] is never valid in a domain name.
    org.apache.tomcat.util.http.parser.HttpParser$DomainParseState.next(HttpParser.java:966)
    org.apache.tomcat.util.http.parser.HttpParser.readHostDomainName(HttpParser.java:842)
    org.apache.tomcat.util.http.parser.Host.parse(Host.java:66)
    org.apache.tomcat.util.http.parser.Host.parse(Host.java:40)
    org.apache.coyote.AbstractProcessor.parseHost(AbstractProcessor.java:293)
    org.apache.coyote.ajp.AjpProcessor.prepareRequest(AjpProcessor.java:1062)
    org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:523)
    org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    java.lang.Thread.run(Thread.java:745)

The culprit in the command is: "Host: whs'check". Where the illegal character single quotation mark "'".

I tried few things like adding an entry to server.xml file 

<Connector port=".... relaxedQueryChars="'">

Also, I tried to add to catalina.properties

tomcat.util.http.parser.HttpParser.requestTargetAllow='

or 

tomcat.util.http.parser.HttpParser.requestTargetAllow="'"

Nothing seem to work. We need either to figure a way not to display server related errors when running client tools like Curl. We have generic error page displays every time when error happens when users access the site from a browser.

Someone suggested to restrict errors visibility to certain IP. There is no setting that I can see in Coldfusion Admin to do that. Is there something on Apache Tomcat config to do that? May be to add something to catalina.properties file?

Thanks

user1706426
  • 387
  • 1
  • 3
  • 12
  • Maybe this q&a can help you https://stackoverflow.com/q/52814582/2482184 – Nebu Apr 23 '20 at 15:52
  • This works with users entering url into browser. We have a handler with custom error page and it works fine. The problem is with this Curl tool and entering malformed host – user1706426 Apr 23 '20 at 18:55
  • Are you using the builtin Tomcat web server? If not, you can disable it. If you are you can restrict which IP addresses it allows to serve. This is all documented in the ColdFusion lock down guide - [CF 2016 lock down guide](https://www.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf) see section 4. Also the 2018 lock down shows some more configuration settings for Tomcat. – Miguel-F Apr 23 '20 at 21:35
  • Thank you Miguel, I tried these and none is working. There is a consensus building that this might be a bug specific to tomcat (as this query does not seem to reach CF part...) and how it handles queries from in this case text browser Curl. This does not happen in regular web browsers. – user1706426 Apr 24 '20 at 12:40

0 Answers0