How to fix directory traversal vulnerability on Tomcat 9

3.2k Views Asked by samuelj At 25 April 2025 at 13:53

I have a JEE service on a Tomcat 9 container (Debian 10.8). In front of it an Apache Web Server + mod_proxy_ajp.

In my VH I do not have any ProxyPass rule for /manager/html context but if on a Web client I rewrite my URL adding /..;/manager/html (e.g.: https://www.example.org/site/..;/manager/html) the Tomcat Manager asks for crediatials.

Is there a trick to avoid it? Maybe using modsecurity? Thanks.

Original Q&A

There are 2 best solutions below

samuelj On 26 August 2021 at 10:06

I solved the problem using a mod_security rules:

SecRule REQUEST_URI "@rx ..;/" "phase:1,severity:'CRITICAL',deny,id:129"

It works.

Piotr P. Karwasz On 26 August 2021 at 11:35

Since path parameters are only used in Tomcat for session tracking (as an alternative to cookies), you can safely remove them in Apache2 from the .. path segment :

RewriteEngine on
RewriteRule ^(.*)/\.\.;[^/]*(.*)$ $1/..$2 [N]

Alternatively you can remove them altogether:

RewriteEngine on
RewriteRule ^(.*);[^/]*(.*)$ $1$2 [N]

and configure Tomcat to use only cookies for session tracking in $CATALINA_BASE/conf/web.xml:

    <session-config>
        ...
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>

How to fix directory traversal vulnerability on Tomcat 9

There are 2 best solutions below

Related Questions in APACHE

Related Questions in TOMCAT

Related Questions in HTTPD.CONF

Related Questions in DIRECTORY-TRAVERSAL

Trending Questions

Popular # Hahtags

Popular Questions