Security bug in isapi_redirect.dll and Tomcat 3.2.3 ?

[Stéphane BAUDET <sb...@gltrade.fr>]

Hello,

I'm running IIS 5.0 with Tomcat 3.2.3
I've set up my uriworkermap.properties with these informations

/mycontext/servlet/*=$(default.worker)
/mycontext/*.jsp=$(default.worker)

so only the servlet and the .jsp are served by Tomcat.

Under /mycontext directory I've got the following directories structure,
(which is standard):

/mycontext/images: contains the images of my web server
/mycontext/jsp: my jsp
/mycontext/WEB-INF : where my classes and jar files are.

In test, I'm running only Tomcat, and that works fine.
In production I'm running IIS + Tomcat to optimize the static part.
So I've decided to create a virtual directory which point to:

/mycontext with read only permission.

The optimisation works fine, and my images are served 10 time faster.
But I've noticed this strange behaviour:

If I type http://localhost/mycontext/jsp/index.jsp
I've got my JSP page

but if I type:
http://localhost//mycontext/jsp/index.jsp, the source code of my jsp is
displayed in my browser !!!!

As a workaround, I've disabled in IIS the read permission of /mycontext/jsp

I would like to know if this is a security issue in the isapi_redirect.dll
or if it's the proper behaviour.

Would you be kind enough to reply to sbaudet@gltrade.fr , as I'm currently
of the list.

Thanks,

Stéphane