[midPoint] Password reset confirmation link contains invalid characters

Oleksandr Nekriach o.nekriach at dynatech.lv
Tue Sep 26 16:01:03 CEST 2017


Hello,

I have found that password reset confirmation link contains invalid
characters (for exp. |}{<> )  and could be exploited according to
CVE-2016-6816.
Such link does not work on tomcat server if the server has not a properly
configured option tomcat.util.http.parser.HttpParser.requestTargetAllow=

Is there some workaround to bypass this issue?

Example of invalid link
http://192.168.2.184:8080/midpoint/confirm/reset?user=
Oleksandr.Nekriach&token=FpX3{e5#.z%_

Logs from catalina.out
26-Sep-2017 16:41:00.370 INFO [http-nio-8080-exec-4]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request
header
 Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
 java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986
        at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:472)
        at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:683)
        at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
        at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
        at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)


Best regards,

Oleksandr Nekriach | Identity and access management engineer

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv




Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/ca240168/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/ca240168/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7770
Type: image/png
Size: 2602 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/ca240168/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/ca240168/attachment-0002.png>


More information about the midPoint mailing list