[midPoint] Password reset confirmation link contains invalid characters

Ivan Noris ivan.noris at evolveum.com
Tue Sep 26 16:06:18 CEST 2017 

Hi,

could this be related to the password policy used in your password reset
configuration?

Ivan


On 26.09.2017 16:01, Oleksandr Nekriach wrote:
> Hello,
>
> I have found that password reset confirmation link contains invalid
> characters (for exp. |}{<> )  and could be exploited according to
> CVE-2016-6816.
> Such link does not work on tomcat server if the server has not a
> properly configured option
> tomcat.util.http.parser.HttpParser.requestTargetAllow=
>
> Is there some workaround to bypass this issue?
>
> Example of invalid link
> http://192.168.2.184:8080/midpoint/confirm/reset?user=Oleksandr.Nekriach&token=FpX3{e5#.z%_
> <http://192.168.2.184:8080/midpoint/confirm/reset?user=Oleksandr.Nekriach&token=FpX3%7Be5#.z%_>
>
>
> Logs from catalina.out
> 26-Sep-2017 16:41:00.370 INFO [http-nio-8080-exec-4]
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> request header
>  Note: further occurrences of HTTP header parsing errors will be
> logged at DEBUG level.
>  java.lang.IllegalArgumentException: Invalid character found in the
> request target. The valid characters are defined in RFC 7230 and RFC 3986
>         at
> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:472)
>         at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:683)
>         at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
>         at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
>         at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
>         at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:748)
>
>
> Best regards,
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>
> +37125314685 <tel:+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
> |
> www.dynatech.lv <http://www.dynatech.lv>
>
>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information
> and is intended only for the named recipient(s). If you are not the
> addressee you may not copy, distribute or perform any other activities
> with this information. If you have received this transmission in
> error, please notify us by e-mail immediately. E-mail transmission
> cannot be guaranteed to be secure or error-free as information could
> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
> or contain viruses.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/70734c7b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7770
Type: image/png
Size: 2602 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/70734c7b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/70734c7b/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/70734c7b/attachment-0002.png>

More information about the midPoint mailing list