[midPoint] Password reset confirmation link contains invalid characters

Oleksandr Nekriach o.nekriach at dynatech.lv
Tue Sep 26 16:22:37 CEST 2017 

Hi Ivan,

That is a good Idea and  there is only one place that could be connected
and I will check it

<limit>
            <description>Special characters</description>
            <minOccurs>1</minOccurs>
            <maxOccurs>5</maxOccurs>
            <mustBeFirst>false</mustBeFirst>
            <characterClass>
               <value>* !"#$%&'()*+,-.:;<>?@[]^_`{|}~*</value>
            </characterClass>
         </limit>

2017-09-26 17:06 GMT+03:00 Ivan Noris <ivan.noris at evolveum.com>:

> Hi,
>
> could this be related to the password policy used in your password reset
> configuration?
>
> Ivan
>
> On 26.09.2017 16:01, Oleksandr Nekriach wrote:
>
> Hello,
>
> I have found that password reset confirmation link contains invalid
> characters (for exp. |}{<> )  and could be exploited according to
> CVE-2016-6816.
> Such link does not work on tomcat server if the server has not a properly
> configured option tomcat.util.http.parser.HttpParser.requestTargetAllow=
>
> Is there some workaround to bypass this issue?
>
> Example of invalid link
> http://192.168.2.184:8080/midpoint/confirm/reset?user=Oleksa
> ndr.Nekriach&token=FpX3{e5#.z%_
>
> Logs from catalina.out
> 26-Sep-2017 16:41:00.370 INFO [http-nio-8080-exec-4]
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> request header
>  Note: further occurrences of HTTP header parsing errors will be logged at
> DEBUG level.
>  java.lang.IllegalArgumentException: Invalid character found in the
> request target. The valid characters are defined in RFC 7230 and RFC 3986
>         at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(
> Http11InputBuffer.java:472)
>         at org.apache.coyote.http11.Http11Processor.service(
> Http11Processor.java:683)
>         at org.apache.coyote.AbstractProcessorLight.process(
> AbstractProcessorLight.java:66)
>         at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(
> AbstractProtocol.java:868)
>         at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
> doRun(NioEndpoint.java:1455)
>         at org.apache.tomcat.util.net.SocketProcessorBase.run(
> SocketProcessorBase.java:49)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
>         at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:748)
>
>
> Best regards,
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>
> +37125314685 <+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv
> |
> www.dynatech.lv
>
>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information and
> is intended only for the named recipient(s). If you are not the addressee
> you may not copy, distribute or perform any other activities with this
> information. If you have received this transmission in error, please notify
> us by e-mail immediately. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 
Best regards,

Oleksandr Nekriach | Identity and access management engineer

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv




Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7770
Type: image/png
Size: 2602 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7770
Type: image/png
Size: 2602 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_ValuePolicyType_1506435472766.xml
Type: text/xml
Size: 3774 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_SecurityPolicyType_1506435460989.xml
Type: text/xml
Size: 4380 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170926/2ec2e133/attachment-0001.xml>

More information about the midPoint mailing list