You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by BugRat Mail System <to...@cortexity.com> on 2000/09/01 11:51:52 UTC

BugRat Report #60 has been filed.

Bug report #60 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com:8888/BugRatViewer/ShowReport/60>

REPORT #60 Details.

Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: critical
Confidence: public
Environment: 
   Release: 3.1
   JVM Release: 1.2.2 Sun
   Operating System: WinNT
   OS Release: 4.0
   Platform: intel

Synopsis: 
apache-tomcat.conf

Description:
It seems to be a small sec-hole in your almost perfect work.
Not in tomcat itself (God save it), but in <tomcat-apache.conf>
that your cat generates. I'd even not call it a hole
just a little of misconfig that allows wise people
to get into your WEB-INF directory which seems to be protected
by the following lines of that file:

<Location /contextdir/WEB-INF/>
    AllowOverride None
    deny from all
</Location>

Maybe it's not so crucial as smart people use their own config files
not those that are generated automatically. Still most probably
they base their configs on yours and it may cause some not problems
but misunderstandings as I'd not call it a problem if people look 
at the content of your web-inf and copy it on their harddrives.
You should be open. Am I right?
As far as I know you cannot harm a lot if you have only http access
but frankly I am not well-informed in this area.
But returning to our topic. 

So the <Location> directive deals with urls.

The main thing I am talking about is that if you request 
an url like  http://server/contextdir/WEB-INF/  you'll get
403 error (forbidden) and that's great but
if I type in my browser  http://server/contextdir/web-inf/ (lowercased)
I'll get the index of that web-inf successfully and with great pleasure.
And later on I can do rather a lot with it.

The matter of our discussion is that for the browser they are
two different urls and it treats them differently therefore.

You ban only one of these urls in your <Location> directive
but another still can be used to reach the WEB-INF dir so far.