We would like to know whether this Unexpected access to a protected resource in the backend server Tomcat without authentication vulnerability has been closed in any of the current version. If yes, please let me know know the version from which this vulnerability was patched.
HiI Krishna , I think the resolution for this is to include semicolon in the list of BadCssChars ACO
Thanks for your reply. I have read about this workaround. Actually this is a vulnerability. I am expecting CA should have patched it in upcoming releases. Please let me know if it was patched.
Thank you for your quick response. When we communicated with the customer we came to know that he is using IIS web-server in back-end not Apache. Do we have the same issue in IIS as well ?
If you disable sso, does apache allow access to the file?
if yes, then it needs to be patched on Apache/tomcat level. May be there is some option to disable this path parameter in Apache side?
Seems to be fixed in IIS 7.0 and higher version:
Hi Krishna ,
Do you have any further question here?
Not yet. I have asked our customer about the version of IIS he is using. Still haven't received any response. I will give a short feedback on this later.