Layer 7 Access Management

Expand all | Collapse all

Unexpected access to a protected resource

Jump to Best Answer
  • 1.  Unexpected access to a protected resource

    Posted 09-18-2017 07:05 AM

    Hi Team,

    We would like to know whether this Unexpected access to a protected resource in the backend server Tomcat without authentication  vulnerability has been closed in any of the current version. If yes, please let me know know the version from which this vulnerability was patched.

     

    Thanks.

     

    Best Regards,

    Krishna



  • 2.  Re: Unexpected access to a protected resource

    Posted 09-18-2017 07:17 AM

    HiI Krishna , I think the resolution for this is to include semicolon in the list of BadCssChars ACO



  • 3.  Re: Unexpected access to a protected resource

    Posted 09-18-2017 07:34 AM

    HI Ujwol,

    Thanks for your reply. I have read about this workaround. Actually this is a vulnerability. I am expecting CA should have patched it in upcoming releases.  Please let me know if it was patched.

     

    Best Regards,

    Krishna



  • 4.  Re: Unexpected access to a protected resource

    Posted 09-18-2017 08:27 AM

    Hi Ujwol,

    Thank you for your quick response. When we communicated with the customer we came to know that he is using IIS web-server in back-end not Apache.  Do we have the same issue in IIS as well ?

     

    Best Regards,

    Krishna



  • 5.  Re: Unexpected access to a protected resource

    Posted 09-18-2017 07:42 AM

    If you disable sso, does apache allow access to the file? 


    if yes, then it needs to be patched on Apache/tomcat level. May be there is some option to disable this path parameter in Apache side?



  • 6.  Re: Unexpected access to a protected resource

    Posted 09-18-2017 08:33 AM

    Hi Ujwol,

    Thank you for your quick response. When we communicated with the customer we came to know that he is using IIS web-server in back-end not Apache.  Do we have the same issue in IIS as well ?

     

    Best Regards,

    Krishna



  • 7.  Re: Unexpected access to a protected resource
    Best Answer

    Posted 09-18-2017 08:51 AM
    It seems to affect IIS 6 and below.

    Seems to be fixed in IIS 7.0 and higher version:


    https://nvd.nist.gov/vuln/detail/CVE-2009-4444



  • 8.  Re: Unexpected access to a protected resource

    Posted 09-19-2017 07:36 PM

    Hi Krishna ,


    Do you have any further question here?



  • 9.  Re: Unexpected access to a protected resource

    Posted 09-20-2017 04:29 AM

    Hi Ujwol,

    Not yet. I have asked our customer about the version of IIS he is using. Still haven't received any response. I will give a short feedback on this later.

     

    Best Regards,

    Krishna