CVE-2007-1860

This vulnerability abuses double URL decoding between Apache (mod_jk) and Tomcat. Apache decodes the URL once and forwards it to Tomcat, which decodes it again—allowing attackers to bypass path restrictions and access protected Tomcat endpoints such as /manager/html.

Architecture Context

Apache listens on port 80/443 and proxies requests to Tomcat running on a higher port.
Proxying is commonly done via:
- http_proxy (HTTP)
- mod_jk using AJP13 (used here)
Whether Apache or Tomcat handles a request can be identified by 404 error page style.

The Vulnerability (CVE-2007-1860)

Apache and Tomcat both URL-decode paths

Double-encoded traversal like:

%252e%252e  → Apache decodes to %2e%2e → Tomcat decodes to ..

This enables directory traversal into protected Tomcat paths

Attack Strategy

Find a path Apache forwards to Tomcat (e.g. /examples/jsp/)
Use double-encoded traversal to reach:
```
/manager/html
```

Example pattern:

/examples/jsp/%252e%252e/%252e%252e/manager/html

If successful, Tomcat prompts for credentials
Guess default Tomcat Manager credentials to gain access

Even without mod_jk, always try:

webapp/../manager/html

webapp/%252e%252e/manager/html

info

More Info: https://pentesterlab.com/exercises/cve-2007-1860

Architecture Context​

The Vulnerability (CVE-2007-1860)​

Attack Strategy​

Architecture Context

The Vulnerability (CVE-2007-1860)

Attack Strategy