<div dir="ltr"><div><div><div><div>Hello,<br><br></div>I have found that password reset confirmation link contains invalid characters (for exp. |}{<> ) and could be exploited according to CVE-2016-6816.<br></div>Such link does not work on tomcat server if the server has not a properly configured option tomcat.util.http.parser.HttpParser.requestTargetAllow=<br><br></div>Is there some workaround to bypass this issue?<br><br></div>Example of invalid link<br><a href="http://192.168.2.184:8080/midpoint/confirm/reset?user=Oleksandr.Nekriach&token=FpX3%7Be5#.z%_" rel="noreferrer" target="_blank">http://192.168.2.184:8080/<wbr>midpoint/confirm/reset?user=<wbr>Oleksandr.Nekriach&token=FpX3{<wbr>e5#.z%_</a><div><div><br>Logs from catalina.out<br>26-Sep-2017 16:41:00.370 INFO [http-nio-8080-exec-4] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header<br> Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.<br> java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986<br> at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:472)<br> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:683)<br> at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)<br> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)<br> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)<br> at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)<br> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)<br> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)<br> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)<br> at java.lang.Thread.run(Thread.java:748)<br><br><br clear="all"><div><div><div><div><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(76,76,76)">Best regards, <br><br>Oleksandr Nekriach | Identity and access management engineer <br><br>Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia <br><br><div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>, <div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div> | <div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div> <br><br><img src="cid:o.nekriach@dynatech.lv1502777022855-7770"> <br><br>Stay connected: <br><div style="display:inline-block;margin:5px 5px 0px 0px"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:o.nekriach@dynatech.lv1502777022855-7771"></a></div><div style="display:inline-block;margin:5px 0px 0px"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:o.nekriach@dynatech.lv1502777022855-7772"></a></div><br><br><span style="font-size:11px;color:rgb(161,161,161)">Confidentiality
Notice: This message contains confidential information and is intended
only for the named recipient(s). If you are not the addressee you may
not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please
notify us by e-mail immediately. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses.</span></span></div></div></div></div>
</div></div></div></div></div></div></div></div>