Issues » Broken Access Control — Normalization Filter

Issue: SI-68
Date: Jun 30, 2023, 11:00:00 AM
Severity: Medium
Requires Admin Access: No
Fix Version: 23.06+, LTS 22.03.7+, LTS 23.01.4+
Credit: Internal Security Team
Description:

In dotCMS, the NormalizationFilter is run on every request to strip invalid characters from incoming URLs. The default list of invalid characters to strip failed to include double slashes (//), which allows a URL to be constructed that can circumvent XSS and access controls built into dotCMS. An example of an affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp; this URL should not be externally accessible and should result in a 404/Not Found response.  The "default" list of invalid URL characters can be found here:

https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37

Affected dotCMS versions:

  • 5.3.8
  • 21.06
  • 22.03
  • 23.01
Mitigation:

URLs that contain double slashes can be blocked at an upstream firewall / WAF or can be blocked by using dotCMS config variables.  In dotCMS, the default list of invalid characters can be overridden by passing an environmental variable DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS that adds // to a comma separated list of invalid strings, e.g.:

DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS=;,..,/./,\\,?,%3B,%2E,%5C,%3F,%00,\0,\r,\n,\f,//

It is also possible to pass an environmental variable DOT_URI_NORMALIZATION_FORBIDDEN_REGEX regex that can be tested for and blocked for more fine grained control.  For example, to block //html.* you could set:

DOT_URI_NORMALIZATION_FORBIDDEN_REGEX=^\/\/html\/.*

References
  • CVE-2023-3042

Highly Rated and Recommended

We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews