[midPoint] Password reset confirmation link contains invalid characters

Pálos Gustáv gustav.palos at evolveum.com
Tue Sep 26 16:09:58 CEST 2017


Hi Oleksandr,

Please check your value policy configured for nonce and if is, remove
special characters from here.

Best regards,

Gustav

2017-09-26 16:01 GMT+02:00 Oleksandr Nekriach <o.nekriach at dynatech.lv>:

> Hello,
>
> I have found that password reset confirmation link contains invalid
> characters (for exp. |}{<> )  and could be exploited according to
> CVE-2016-6816.
> Such link does not work on tomcat server if the server has not a properly
> configured option tomcat.util.http.parser.HttpParser.requestTargetAllow=
>
> Is there some workaround to bypass this issue?
>
> Example of invalid link
> http://192.168.2.184:8080/midpoint/confirm/reset?user=Oleksa
> ndr.Nekriach&token=FpX3{e5#.z%_
>
> Logs from catalina.out
> 26-Sep-2017 16:41:00.370 INFO [http-nio-8080-exec-4]
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> request header
>  Note: further occurrences of HTTP header parsing errors will be logged at
> DEBUG level.
>  java.lang.IllegalArgumentException: Invalid character found in the
> request target. The valid characters are defined in RFC 7230 and RFC 3986
>         at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(
> Http11InputBuffer.java:472)
>         at org.apache.coyote.http11.Http11Processor.service(
> Http11Processor.java:683)
>         at org.apache.coyote.AbstractProcessorLight.process(
> AbstractProcessorLight.java:66)
>         at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(
> AbstractProtocol.java:868)
>         at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
> doRun(NioEndpoint.java:1455)
>         at org.apache.tomcat.util.net.SocketProcessorBase.run(
> SocketProcessorBase.java:49)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
>         at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:748)
>
>
> Best regards,
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>
> +37125314685 <+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv
> |
> www.dynatech.lv
>
>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information and
> is intended only for the named recipient(s). If you are not the addressee
> you may not copy, distribute or perform any other activities with this
> information. If you have received this transmission in error, please notify
> us by e-mail immediately. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 
Gustáv Pálos
Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/c154028a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7770
Type: image/png
Size: 2602 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/c154028a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/c154028a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/c154028a/attachment-0002.png>


More information about the midPoint mailing list