Refer to the specific circumstances of vulnerability: http://blog.nsfocus.net/cve-2020-1938/
Reproduction Reference: https://github.com/0nise/CVE-2020-1938
Of particular note is that before tomcat, AJP is on by default! ! ! !
Local reproduce, version Tomcat 7.0.95:
1. server.xml configuration:
Start tomcat, cmd, execute the command:
You can read the file. Modify server.xml configuration:
Start tomcat, access the test again:
Prohibited visited. Description Our configuration worked.
http://blog.nsfocus.net/cve-2020-1938/ the link, said use TOMCAT 7
address="127.0.0.1" secret="xxxxx"
It should be wrong. After testing, Tomcat7 should use:
address="127.0.0.1" requiredSecret="xxxx"
Tested prevail! ! !
For insurance purposes, plus all the best:
address="127.0.0.1" secret="xxxxx" requiredSecret="xxxx"