Tomcat path traversal via reverse proxy mapping

Description
  • Web servers and reverse proxies normalize the request path. For example, the path /image/../image/ is normalized to /images/. When Apache Tomcat is used together with a reverse proxy such as nginx there is a nromalization inconsistency.

    Tomcat will threat the sequence /..;/ as /../ and normalize the path while reverse proxies will not normalize this sequence and send it to Apache Tomcat as it is.

    This allows an attacker to access Apache Tomcat resources that are not normally accessible via the reverse proxy mapping.
Remediation
  • Configure the reverse proxy to reject paths that contain the Tomcat path parameter character ;.