Tomcat path traversal via reverse proxy mapping
Description
Apache Tomcat and reverse proxies (such as nginx or Apache HTTP Server) handle URL path normalization differently, creating a security gap. While most reverse proxies treat /..;/ as a literal string and pass it through unchanged, Tomcat interprets the semicolon as a path parameter delimiter and normalizes /..;/ to /../, performing directory traversal. This normalization inconsistency allows attackers to bypass reverse proxy access controls and reach Tomcat resources that should be protected or unmapped.
Remediation
Configure your reverse proxy to block or sanitize requests containing the semicolon character (;) in URL paths before they reach Tomcat. Implementation varies by reverse proxy:
For nginx:
location / {
# Reject requests with semicolons in the URI
if ($request_uri ~ ";") {
return 400;
}
proxy_pass http://tomcat_backend;
}For Apache HTTP Server:
# Reject requests containing semicolons
RewriteEngine On
RewriteCond %{REQUEST_URI} ;
RewriteRule .* - [F,L]Additionally, ensure Tomcat is updated to the latest version and consider setting the allowBackslash and allowEncodedSlashes attributes to false in Tomcat's Connector configuration for defense in depth.