<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>could this be related to the password policy used in your
password reset configuration?</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 26.09.2017 16:01, Oleksandr Nekriach
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANb693RDV-EQwo7Sj6k37z68nWN+t8tRd+k-HchBwwUw0yJ+kw@mail.gmail.com">
<div dir="ltr">
<div>
<div>
<div>
<div>Hello,<br>
<br>
</div>
I have found that password reset confirmation link
contains invalid characters (for exp. |}{<> ) and
could be exploited according to CVE-2016-6816.<br>
</div>
Such link does not work on tomcat server if the server has
not a properly configured option
tomcat.util.http.parser.HttpParser.requestTargetAllow=<br>
<br>
</div>
Is there some workaround to bypass this issue?<br>
<br>
</div>
Example of invalid link<br>
<a
href="http://192.168.2.184:8080/midpoint/confirm/reset?user=Oleksandr.Nekriach&token=FpX3%7Be5#.z%_"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://192.168.2.184:8080/<wbr>midpoint/confirm/reset?user=<wbr>Oleksandr.Nekriach&token=FpX3{<wbr>e5#.z%_</a>
<div>
<div><br>
Logs from catalina.out<br>
26-Sep-2017 16:41:00.370 INFO [http-nio-8080-exec-4]
org.apache.coyote.http11.Http11Processor.service Error
parsing HTTP request header<br>
Note: further occurrences of HTTP header parsing errors
will be logged at DEBUG level.<br>
java.lang.IllegalArgumentException: Invalid character found
in the request target. The valid characters are defined in
RFC 7230 and RFC 3986<br>
at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:472)<br>
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:683)<br>
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)<br>
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)<br>
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)<br>
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)<br>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)<br>
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)<br>
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)<br>
at java.lang.Thread.run(Thread.java:748)<br>
<br>
<br clear="all">
<div>
<div>
<div>
<div>
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr"><span
style="color:rgb(76,76,76)">Best
regards, <br>
<br>
Oleksandr Nekriach | Identity and access
management engineer <br>
<br>
Dynatech, Mednieku str. 4a, Riga,
LV-1010, Latvia <br>
<br>
<div style="display:inline-block"><a
href="tel:+371%2025%20314%20685"
value="+37125314685" target="_blank"
moz-do-not-send="true">+37125314685</a></div>
,
<div style="display:inline-block"><a
href="mailto:o.nekriach@dynatech.lv"
target="_blank"
moz-do-not-send="true">o.nekriach@dynatech.lv</a></div>
|
<div style="display:inline-block"><a
href="http://www.dynatech.lv"
target="_blank"
moz-do-not-send="true">www.dynatech.lv</a></div>
<br>
<br>
<img
src="cid:part5.5E1CD1EC.96233131@evolveum.com"
class=""> <br>
<br>
Stay connected: <br>
<div
style="display:inline-block;margin:5px
5px 0px 0px"><a
href="https://www.facebook.com/DynatechLatvia/?ref=br_rs"
target="_blank"
moz-do-not-send="true"><img
src="cid:part6.7AF788DA.AB703B30@evolveum.com"
class=""></a></div>
<div
style="display:inline-block;margin:5px
0px 0px"><a
href="https://www.linkedin.com/company-beta/17893047/"
target="_blank"
moz-do-not-send="true"><img
src="cid:part8.B82526F9.C8F9CBFF@evolveum.com"
class=""></a></div>
<br>
<br>
<span
style="font-size:11px;color:rgb(161,161,161)">Confidentiality
Notice: This message contains
confidential information and is
intended only for the named
recipient(s). If you are not the
addressee you may not copy, distribute
or perform any other activities with
this information. If you have received
this transmission in error, please
notify us by e-mail immediately.
E-mail transmission cannot be
guaranteed to be secure or error-free
as information could be intercepted,
corrupted, lost, destroyed, arrive
late or incomplete, or contain
viruses.</span></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>