Details
Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were previously blocked by a proxy like mod_proxy.
Rationale:
Allowing additional path-delimiters allows for an attacker to get to an application or area which was not previously visible.
Solution
To start Tomcat with ALLOW_BACKSLASH and ALLOW_ENCODED_SLASH set to false, add -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false and -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false to your startup script.
Default Value:
By default both parameters are set to false.
References:
https://tomcat.apache.org/tomcat-8.0-doc/config/systemprops.html
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.