<div dir="ltr"><div>Hi Ivan,<br><br></div>That is a good Idea and there is only one place that could be connected and I will check it<br><br><limit><br> <description>Special characters</description><br> <minOccurs>1</minOccurs><br> <maxOccurs>5</maxOccurs><br> <mustBeFirst>false</mustBeFirst><br> <characterClass><br> <value><b> !"#$%&'()*+,-.:;<>?@[]^_`{|}~</b></value><br> </characterClass><br> </limit><br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-09-26 17:06 GMT+03:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>could this be related to the password policy used in your
password reset configuration?</p>
<p>Ivan<br>
</p><div><div class="h5">
<br>
<div class="m_-6049335794753673023moz-cite-prefix">On 26.09.2017 16:01, Oleksandr Nekriach
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>
<div>
<div>
<div>Hello,<br>
<br>
</div>
I have found that password reset confirmation link
contains invalid characters (for exp. |}{<> ) and
could be exploited according to CVE-2016-6816.<br>
</div>
Such link does not work on tomcat server if the server has
not a properly configured option
tomcat.util.http.parser.<wbr>HttpParser.requestTargetAllow=<br>
<br>
</div>
Is there some workaround to bypass this issue?<br>
<br>
</div>
Example of invalid link<br>
<a href="http://192.168.2.184:8080/midpoint/confirm/reset?user=Oleksandr.Nekriach&token=FpX3%7Be5#.z%_" rel="noreferrer" target="_blank">http://192.168.2.184:8080/midp<wbr>oint/confirm/reset?user=Oleksa<wbr>ndr.Nekriach&token=FpX3{e5#.z%<wbr>_</a>
<div>
<div><br>
Logs from catalina.out<br>
26-Sep-2017 16:41:00.370 INFO [http-nio-8080-exec-4]
org.apache.coyote.http11.<wbr>Http11Processor.service Error
parsing HTTP request header<br>
Note: further occurrences of HTTP header parsing errors
will be logged at DEBUG level.<br>
java.lang.<wbr>IllegalArgumentException: Invalid character found
in the request target. The valid characters are defined in
RFC 7230 and RFC 3986<br>
at
org.apache.coyote.http11.<wbr>Http11InputBuffer.<wbr>parseRequestLine(<wbr>Http11InputBuffer.java:472)<br>
at
org.apache.coyote.http11.<wbr>Http11Processor.service(<wbr>Http11Processor.java:683)<br>
at
org.apache.coyote.<wbr>AbstractProcessorLight.<wbr>process(<wbr>AbstractProcessorLight.java:<wbr>66)<br>
at
org.apache.coyote.<wbr>AbstractProtocol$<wbr>ConnectionHandler.process(<wbr>AbstractProtocol.java:868)<br>
at
<a href="http://org.apache.tomcat.util.net">org.apache.tomcat.util.net</a>.<wbr>NioEndpoint$SocketProcessor.<wbr>doRun(NioEndpoint.java:1455)<br>
at
<a href="http://org.apache.tomcat.util.net">org.apache.tomcat.util.net</a>.<wbr>SocketProcessorBase.run(<wbr>SocketProcessorBase.java:49)<br>
at
java.util.concurrent.<wbr>ThreadPoolExecutor.runWorker(<wbr>ThreadPoolExecutor.java:1149)<br>
at
java.util.concurrent.<wbr>ThreadPoolExecutor$Worker.run(<wbr>ThreadPoolExecutor.java:624)<br>
at
org.apache.tomcat.util.<wbr>threads.TaskThread$<wbr>WrappingRunnable.run(<wbr>TaskThread.java:61)<br>
at java.lang.Thread.run(Thread.<wbr>java:748)<br>
<br>
<br clear="all">
<div>
<div>
<div>
<div>
<div>
<div class="m_-6049335794753673023gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr"><span style="color:rgb(76,76,76)">Best
regards, <br>
<br>
Oleksandr Nekriach | Identity and access
management engineer <br>
<br>
Dynatech, Mednieku str. 4a, Riga,
LV-1010, Latvia <br>
<br>
<div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>
,
<div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>
|
<div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div>
<br>
<br>
<img src="cid:part5.5E1CD1EC.96233131@evolveum.com"> <br>
<br>
Stay connected: <br>
<div style="display:inline-block;margin:5px 5px 0px 0px"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:part6.7AF788DA.AB703B30@evolveum.com"></a></div>
<div style="display:inline-block;margin:5px 0px 0px"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:part8.B82526F9.C8F9CBFF@evolveum.com"></a></div>
<br>
<br>
<span style="font-size:11px;color:rgb(161,161,161)">Confidentiality
Notice: This message contains
confidential information and is
intended only for the named
recipient(s). If you are not the
addressee you may not copy, distribute
or perform any other activities with
this information. If you have received
this transmission in error, please
notify us by e-mail immediately.
E-mail transmission cannot be
guaranteed to be secure or error-free
as information could be intercepted,
corrupted, lost, destroyed, arrive
late or incomplete, or contain
viruses.</span></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_-6049335794753673023mimeAttachmentHeader"></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-6049335794753673023moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-6049335794753673023moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><span class="HOEnZb"><font color="#888888">
</font></span></pre><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<pre class="m_-6049335794753673023moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="color:#4c4c4c">Best regards, <br><br>Oleksandr Nekriach | Identity and access management engineer <br><br>Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia <br><br><div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>, <div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div> | <div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div> <br><br><img src="cid:o.nekriach@dynatech.lv1502777022855-7770"> <br><br>Stay connected: <br><div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:o.nekriach@dynatech.lv1502777022855-7771"></a></div><div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:o.nekriach@dynatech.lv1502777022855-7772"></a></div><br><br><span style="font-size:11px;color:#a1a1a1">Confidentiality
Notice: This message contains confidential information and is intended
only for the named recipient(s). If you are not the addressee you may
not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please
notify us by e-mail immediately. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses.</span></span></div></div></div></div>
</div>