In dotCMS, the NormalizationFilter is run on every request to strip invalid characters from incoming URLs. The default list of invalid characters to strip failed to include double slashes (//), which allows a URL to be constructed that can circumvent XSS and access controls built into dotCMS. An example of an affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp; this URL should not be externally accessible and should result in a 404/Not Found response.  The "default" list of invalid URL characters can be found here:

https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37

Affected dotCMS versions:

• 5.3.8
• 21.06
• 22.03
• 23.01

URLs that contain double slashes can be blocked at an upstream firewall / WAF or can be blocked by using dotCMS config variables.  In dotCMS, the default list of invalid characters can be overridden by passing an environmental variable DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS that adds // to a comma separated list of invalid strings, e.g.:

DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS=;,..,/./,\\,?,%3B,%2E,%5C,%3F,%00,\0,\r,\n,\f,//

It is also possible to pass an environmental variable DOT_URI_NORMALIZATION_FORBIDDEN_REGEX regex that can be tested for and blocked for more fine grained control.  For example, to block //html.* you could set:

DOT_URI_NORMALIZATION_FORBIDDEN_REGEX=^\/\/html\/.*

• CVE-2023-3042