You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stéphane BAUDET <sb...@gltrade.fr> on 2001/10/16 17:50:55 UTC
Security bug in isapi_redirect.dll and Tomcat 3.2.3 ?
Hello,
I'm running IIS 5.0 with Tomcat 3.2.3
I've set up my uriworkermap.properties with these informations
/mycontext/servlet/*=$(default.worker)
/mycontext/*.jsp=$(default.worker)
so only the servlet and the .jsp are served by Tomcat.
Under /mycontext directory I've got the following directories structure,
(which is standard):
/mycontext/images: contains the images of my web server
/mycontext/jsp: my jsp
/mycontext/WEB-INF : where my classes and jar files are.
In test, I'm running only Tomcat, and that works fine.
In production I'm running IIS + Tomcat to optimize the static part.
So I've decided to create a virtual directory which point to:
/mycontext with read only permission.
The optimisation works fine, and my images are served 10 time faster.
But I've noticed this strange behaviour:
If I type http://localhost/mycontext/jsp/index.jsp
I've got my JSP page
but if I type:
http://localhost//mycontext/jsp/index.jsp, the source code of my jsp is
displayed in my browser !!!!
As a workaround, I've disabled in IIS the read permission of /mycontext/jsp
I would like to know if this is a security issue in the isapi_redirect.dll
or if it's the proper behaviour.
Would you be kind enough to reply to sbaudet@gltrade.fr , as I'm currently
of the list.
Thanks,
Stéphane