You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Robert Kudyba <rk...@ncmintmail.com> on 2006/03/02 16:07:35 UTC
httpd.conf equivalent options in Tomcat's xml config files
We ran a vulnerability assessment (results follow below) and here are 2
issues that popped up, and the results suggest changing directives from the
httpd.conf file, which of course we don't have. What Tomcat equivalent
options in the XML config file(s) are needed to be set to fix these?
"The Mac OS X Finder creates a file called .DS_Store in each directory that
it views. Some versions of OS X include system configuration information and
file location information in these files. The .DS_Store files can be
accessed from this server via a web request such as http://IP/.DS_Store.
Service: Apache-Coyote/1.1
Bugtraq:3316
Configure your Apache server to block access to these files with the
FileMatch feature of httpd.conf.
Some distributions of Apache, especially in Red Hat 7.0, allow an attacker
to probe a system for user names via requests for user home pages (e.g.,
http://host/~username).
Service: Apache-Coyote/1.1
CVE:CAN-2001-1013
Bugtraq:3335
Disabling the UserDir directive in the Apache configuration file
(httpd.conf) will prevent this, although it will also prevent users from
providing their own web pages. Alternately, specify ErrorDocuments for both
403 (Forbidden) and 404 (Page Not Found) responses."
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: httpd.conf equivalent options in Tomcat's xml config files
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
re: .DS_Store
couple of ways I can think of doing it.
1. Protect it using web.xml (security) with the a matching URL pattern
2. Write a simple filter that checks the URL, and returns the error
Filip
Robert Kudyba wrote:
> We ran a vulnerability assessment (results follow below) and here are 2
> issues that popped up, and the results suggest changing directives from the
> httpd.conf file, which of course we don't have. What Tomcat equivalent
> options in the XML config file(s) are needed to be set to fix these?
>
> "The Mac OS X Finder creates a file called .DS_Store in each directory that
> it views. Some versions of OS X include system configuration information and
> file location information in these files. The .DS_Store files can be
> accessed from this server via a web request such as http://IP/.DS_Store.
> Service: Apache-Coyote/1.1
> Bugtraq:3316
> Configure your Apache server to block access to these files with the
> FileMatch feature of httpd.conf.
>
> Some distributions of Apache, especially in Red Hat 7.0, allow an attacker
> to probe a system for user names via requests for user home pages (e.g.,
> http://host/~username).
> Service: Apache-Coyote/1.1
> CVE:CAN-2001-1013
> Bugtraq:3335
> Disabling the UserDir directive in the Apache configuration file
> (httpd.conf) will prevent this, although it will also prevent users from
> providing their own web pages. Alternately, specify ErrorDocuments for both
> 403 (Forbidden) and 404 (Page Not Found) responses."
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org