Restrict file access in Tomcat

Question

There is a serious security issue in our product which runs on apache tomcat server listening on ports 80 and 443. The routing of incoming HTTP/HTTPS packets on these ports is configured by our product classes, which fails to ensure that each requested URL refers to a file that is both located within the web root of the server and is of a type that is allowed to be served.

In particular, packets that match '/error/*' in the url are configured to use the 'docroot' folder as the document root for serving files. And so paths which traverse out of the /error/ (i.e docroot) directory using URL encoded backslashes %5C can also be accessed and downloaded. For example a remote user can give an url like –

    https://MyDomain/error/..%5c..%5csettings.properties

to access the remote file settings.properties that is on the same level as docroot. We are trying to overcome this through firewall rules and network segmentation. But is there a setting in tomcat that can be used to prevent remote users from accessing files outside the project root folder. That would be very useful.

Even if there is some filtering option that we can prevent access to file types like *.txt, *.properties other than the file path, even that would be very helpful. — user496934, Dec 11 '12 at 08:07

score 1 · Answer 1 · answered Dec 11 '12 at 08:08

1

You could be able to restrict access to your error folder using robots. and also you can map entry to error/* to the redirected page.

Encoding all requests and responses should solve the / -> %5c issue

answered Dec 11 '12 at 08:08

Mohamed Haseel

64
9

Hi thanks for you help. But can you please elaborate on this. – user496934 Dec 11 '12 at 08:11
Hello Mohammed..I would really appreciate if you could explain bit elaborately. – user496934 Dec 11 '12 at 09:53
Hello I have created a text file called robots.txt inside the webapps/ROOT folder with below contents -- User-agent: * Disallow: /*.txt – user496934 Dec 11 '12 at 09:59
But still .txt files can be accessed and downloaded. Your help on this would be appreciated. – user496934 Dec 11 '12 at 10:00
Is there any one to help me in this. Any guidance would be appreciated. – user496934 Dec 11 '12 at 10:57
Why do you disallow .txt files? For your case i think the disallow statement has to be Disallow : /error/ – Mohamed Haseel Dec 12 '12 at 04:04

score 1 · Accepted Answer · edited Jun 20 '20 at 09:12

If you want to restrict direct URL access to some files, put them under WEB-INF directory.

Quote from here (note: the below URL is currently unavalable):
http://www.servletworld.com/servlet-tutorials/web-application-directory-structure.html

Root directory contains a directory named WEB-INF. Anything under the root directory excepting the WEB-INF directory is publicly available, and can be accessed by URL from browser.

WEB-INF directory is a private area of the web application, any files under WEB-INF directory cannot be accessed directly from browser by specifying the URL like http://somesite/WEB-INF/someresource.html. Web container will not serve the content of this directory. However the content of the WEB-INF directory is accessible by the classes within the application. So if there are any resources like JSPs or HTML document that you don’t wish to be accessible directly from web browser, you should place it under WEB-INF directory.

@Gawey The "servletworld.com" website seems to be not hosted anymore. — informatik01, Dec 17 '18 at 04:14

Restrict file access in Tomcat

2 Answers2