Request : https://<server>:<port>/META-INf./template.mf Response : Content of template.mf Here the tomcat URL filter for restricting access to META-INF and WEB-INF can be evaded using a "." in the end of the directory-name and one keeping at least one character lowercase.
Tomcat correctly returns a 404 for such requests. I suspect the root cause here is a poorly configured reverse proxy. Also, vulnerability reports should NOT be made via a public bug tracker. The correct process is described at http://tomcat.apache.org/security.html
mark: did you test on Windows? the `.` behavior is a Windows thing. Case folding could also happen on macOS. (I'm not endorsing the bug, just guessing about how this could be. And I don't have a tomcat instance handy to test.)
(In reply to Josh Soref from comment #2) > mark: did you test on Windows? Yes, the tests included Windows. > the `.` behavior is a Windows thing. Not with Tomcat it isn't. The '.' is enough to always trigger a 404 unless there actually is a directory with that name. I also tested without the '.'. > Case folding could also happen on macOS. Tomcat has code that explicitly prevents this on any case insensitive file system. It can be disabled if allowLinking is set to true but that is why there is a huge security warning in the docs about enabling that on case insensitive file systems. > (I'm not endorsing the bug, just guessing about how this could be. And I > don't have a tomcat instance handy to test.) As I previously stated, the behaviour described looks like a poorly configured reverse proxy.